Miggo Logo
Miggo Vulnerability Database
CVE-2022-43424

CVE-2022-43424: Agent-to-controller security bypass vulnerability in Jenkins Compuware Xpediter Code Coverage Plugin

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-43424
GHSA ID
GHSA-mfcw-83qg-4vw3
EPSS Score
0.32094%
CWE
CWE-693
Published
10/19/2022
Updated
1/5/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.compuware.jenkins:compuware-xpediter-code-coveragemaven< 1.0.81.0.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from using hudson.remoting.Callable without proper security controls. The commit diff shows the class was changed to extend MasterToSlaveCallable which restricts execution to agents. The original implementation's checkRoles method didn't perform any validation, and the call() method exposed system properties. Together these allowed agent processes to execute controller-side operations. The CWE-693 (Protection Mechanism Failure) mapping confirms the security control bypass aspect.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ompuw*r* Xp**it*r *o** *ov*r*** Plu*in *.*.* *n* **rli*r impl*m*nts *n ***nt/*ontroll*r m*ss*** t**t *o*s not limit w**r* it **n ** *x**ut**. It *llows *tt**k*rs **l* to *ontrol ***nt pro**ss*s to o*t*in t** v*lu*s o* J*v* syst*m prop*rti*s *rom t*

Reasoning

T** vuln*r**ility st*mm** *rom usin* `*u*son.r*motin*.**ll**l*` wit*out prop*r s**urity *ontrols. T** *ommit *i** s*ows t** *l*ss w*s ***n*** to *xt*n* `M*st*rToSl*v***ll**l*` w*i** r*stri*ts *x**ution to ***nts. T** ori*in*l impl*m*nt*tion's `****kR