4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-43422

GHSA ID

GHSA-2x49-wj38-78q9

EPSS Score

0.32094%

CWE

CWE-693

Published

10/19/2022

Updated

1/4/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-43422

CVE-2022-43422: Agent-to-controller security bypass vulnerability in Jenkins Compuware Topaz Utilities Plugin

Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed.

It allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.

This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. See the LTS upgrade guide.

Compuware Topaz Utilities Plugin 1.0.9 restricts execution of the agent/controller message to agents.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-43422

CVE-2022-43422:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-43422

GHSA ID

GHSA-2x49-wj38-78q9

EPSS Score

0.32094%

CWE

CWE-693

Published

10/19/2022

Updated

1/4/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.compuware.jenkins:compuware-topaz-utilities	maven	< 1.0.9	1.0.9

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from using an unrestricted Callable implementation that didn't enforce execution location. The commit diff shows the class was changed from implementing hudson.remoting.Callable to extending jenkins.security.MasterToSlaveCallable, which explicitly restricts execution to agents. The original implementation's checkRoles method was empty (a common pattern in insecure Callables), allowing the message to execute on the controller. The call() method's access to System.getProperties() becomes dangerous when executed on the controller node, which is exactly what the vulnerability describes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-43422: Agent-to-controller security bypass vulnerability in Jenkins Compuware Topaz Utilities Plugin

CVE-2022-43422:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

CVE-2022-43422: Agent-to-controller security bypass vulnerability in Jenkins Compuware Topaz Utilities Plugin

4.3

4.3

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI