4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36895

GHSA ID

GHSA-qf4p-7gqc-x6jx

EPSS Score

0.62642%

CWE

CWE-862

Published

7/28/2022

Updated

1/5/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-36895

CVE-2022-36895: Jenkins Compuware Topaz Utilities Plugin is missing authorization

Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs can be used as part of an attack to capture the credentials using another vulnerability.

Compuware Topaz Utilities Plugin 1.0.9 requires the appropriate permissions to enumerate hosts and ports of Compuware configurations and credentials IDs.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36895

GHSA ID

GHSA-qf4p-7gqc-x6jx

EPSS Score

0.62642%

CWE

CWE-862

Published

7/28/2022

Updated

1/5/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.compuware.jenkins:compuware-topaz-utilities	maven	<= 1.0.8	1.0.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows these two methods in JclDescriptorImpl.java received authorization checks in version 1.0.9. Prior versions lacked these checks, allowing unauthorized access to sensitive configuration data. These methods directly correspond to the vulnerability's description of credential ID and host/port enumeration endpoints.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *ompuw*r* Top*z Utiliti*s Plu*in *.*.* *n* **rli*r *o*s not p*r*orm p*rmission ****ks in s*v*r*l *TTP *n*points. T*is *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *num*r*t* *osts *n* ports o* *ompuw*r* *on*i*ur*tions *n* *r***nti*ls I*s

Reasoning

T** *ommit *i** s*ows t**s* two m*t*o*s in `J*l**s*riptorImpl.j*v*` r***iv** *ut*oriz*tion ****ks in v*rsion *.*.*. Prior v*rsions l**k** t**s* ****ks, *llowin* un*ut*oriz** ****ss to s*nsitiv* *on*i*ur*tion **t*. T**s* m*t*o*s *ir**tly *orr*spon* to

4.3

Basic Information

Concerned about an active attack path?

CVE-2022-36895: Jenkins Compuware Topaz Utilities Plugin is missing authorization

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI