Description
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to read arbitrary files on the Jenkins controller file system.
Remediation
References
http://www.openwall.com/lists/oss-security/2022/10/19/3
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2624
Related Vulnerabilities
CVE-2023-36479 Vulnerability in maven package org.eclipse.jetty.ee10:jetty-ee10-servlets
CVE-2021-21175 Vulnerability in maven package org.webjars.npm:electron
CVE-2022-43432 Vulnerability in maven package org.jenkins-ci.plugins:xframium
CVE-2020-2118 Vulnerability in maven package org.jenkins-ci.plugins:pipeline-githubnotify-step
CVE-2022-35961 Vulnerability in maven package org.webjars.npm:openzeppelin__contracts-upgradeable