Description

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.

Remediation

References

http://www.openwall.com/lists/oss-security/2022/10/19/3

https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2624

Related Vulnerabilities

CVE-2022-45392 Vulnerability in maven package io.jenkins.plugins:cavisson-ns-nd-integration

CVE-2022-31142 Vulnerability in npm package fastify-bearer-auth

CVE-2019-15600 Vulnerability in npm package http_server

CVE-2019-10759 Vulnerability in npm package safer-eval

CVE-2017-12612 Vulnerability in maven package org.apache.spark:spark-core_2.11

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory NVD-CWE-noinfo