CVE-2022-43423

Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.

CVSS v3.0 5.3 MEDIUM

5.3^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2022/10/19/3	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/10/19/3	Mailing List Third Party Advisory
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2622	Vendor Advisory
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2622	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:jenkins:compuware_source_code_download_for_endevor\,_pds\,_and_ispw:*:*:*:*:*:jenkins:*:*

OR	cpe:2.3:a:jenkins:jenkins:::::lts:::*
	cpe:2.3:a:jenkins:jenkins:::::-:::*

History

08 May 2025, 19:15

Type	Values Removed	Values Added
References	~~(CONFIRM) https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2622 - Vendor Advisory~~	() https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2622 - Vendor Advisory
References	~~(MLIST) http://www.openwall.com/lists/oss-security/2022/10/19/3 - Mailing List, Third Party Advisory~~	() http://www.openwall.com/lists/oss-security/2022/10/19/3 - Mailing List, Third Party Advisory

Information

Published : 2022-10-19 16:15

Updated : 2025-05-08 19:15

NVD link : CVE-2022-43423

Mitre link : CVE-2022-43423

JSON object : View

Products Affected

jenkins

jenkins
compuware_source_code_download_for_endevor\,_pds\,_and_ispw

CWE

NVD-CWE-noinfo

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.openwall.com/lists/oss-security/2022/10/19/3", "name": "[oss-security] 20221019 Multiple vulnerabilities in Jenkins plugins", "tags": ["Mailing List", "Third Party Advisory"], "refsource": ""}, {"url": "http://www.openwall.com/lists/oss-security/2022/10/19/3", "name": "[oss-security] 20221019 Multiple vulnerabilities in Jenkins plugins", "tags": ["Mailing List", "Third Party Advisory"], "refsource": ""}, {"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2622", "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2622", "tags": ["Vendor Advisory"], "refsource": ""}, {"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2622", "name": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2622", "tags": ["Vendor Advisory"], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-43423", "ASSIGNER": "jenkinsci-cert@googlegroups.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}}, "publishedDate": "2022-10-19T16:15Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:jenkins:compuware_source_code_download_for_endevor\\,_pds\\,_and_ispw:*:*:*:*:*:jenkins:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.0.13"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "cpe_name": [], "vulnerable": false, "versionEndIncluding": "2.303.2"}, {"cpe23Uri": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "cpe_name": [], "vulnerable": false, "versionEndIncluding": "2.318"}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-05-08T19:15Z"}