CVE-2022-43428 Compuware Topaz for Total Test Plugin 2.4.8 and earlier allows attackers to execute agent/controller commands and get Java system properties. This could lead to system information disclosure.

This can lead to the exposure of user credentials, sensitive information, and other data by an attacker if Jenkins is running in a managed environment (e.g., in a corporate network). This issue has been addressed by Liming Fei of the MITRE Corporation by releasing version 2.4.9 of Jenkins. Vendor Information Vendor Compuware Vendor Status Unknown Topaz Product version 2.4.8 and earlier Acknowledgements The issue was initially reported to the Jenkins security team by Liming Fei of the MITRE Corporation. After further analysis, it was determined that this issue will be addressed in the next release of Jenkins (version 2.4.9).


It should be noted that this issue is currently only applicable to Jenkins Enterprise, as Compuware does not ship the Topaz testing software with their open source Jenkins. A patch for Jenkins Standard will be made available in due course, and customers of that version are advised to upgrade.

Summary:

The issue has been addressed by Liming Fei of the MITRE Corporation by releasing version 2.4.9 of Jenkins.
This issue is currently only applicable to Jenkins Enterprise, as Compuware does not ship the Topaz testing software with their open source Jenkins.
Vendor Information Vendor Compuware Vendor Status Unknown Topaz Product version 2.4.8 and earlier

Common Vulnerabilities and Exposures (CVE)

Common Vulnerabilities and Exposures (CVE) is a dictionary of publicly known information security vulnerabilities and exposures. The CVE dictionary has over 3,000 entries with detailed descriptions of their impact and solutions or mitigations. The dictionary is maintained by the MITRE Corporation, which also maintains this website for CVE.

The Common Vulnerabilities and Exposures (CVE) is a list of publicly known information security vulnerabilities and exposures. This list can be used to determine if a system has been affected by a potential vulnerability, as well as to see if any help articles or other information exist for that particular vulnerability.

Summary

The issue was initially reported to the Jenkins security team by Liming Fei of the MITRE Corporation.

The Basics of the CVE-2022-43428

A security flaw has been discovered in Jenkins, which allows a remote attacker to gain access to the system. This issue was reported by Liming Fei of the MITRE Corporation and will be addressed in the next release (version 2.4.9) of Jenkins. The bug is only applicable for users running Jenkins Enterprise, as Compuware does not ship the Topaz testing software with their open source Jenkins.

Timeline

Published on: 10/19/2022 16:15:00 UTC
Last modified on: 10/22/2022 02:21:00 UTC

References

• https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2624
• http://www.openwall.com/lists/oss-security/2022/10/19/3
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-43428