1. Home
  2. Vulnerabilities
  3. CVE-2022-43416

CVE-2022-43416

CVSS v3.1 8.8 (High)
88% Progress
EPSS 0.10 % (43th)
0.10% Progress
Affected Products 2
Advisories 2
Info CVSS EPSS Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

Jenkins Katalon Plugin 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments, allowing attackers able to control agent processes to invoke Katalon on the Jenkins controller with attacker-controlled version, install location, and arguments, and attackers additionally able to create files on the Jenkins controller (e.g., attackers with Item/Configure permission could archive artifacts) to invoke arbitrary OS commands.

Weaknesses
CWE-NVD-noinfo
CVE Status
PUBLISHED
CNA
Jenkins Project
Published Date
2022-10-19 16:15:11
(23 months ago)
Updated Date
2023-11-01 20:43:35
(10 months ago)

Affected Products

Jenkins

Configuration #1

AND
    CPE23 From Up To
OR  
  Jenkins Katalon for Jenkins prior 1.0.33 version cpe:2.3:a:jenkins:katalon::*:*:*:*:jenkins < 1.0.33
OR  
  Running on/with
  Jenkins 2.303.2 and prior versions cpe:2.3:a:jenkins:jenkins::*:*:*:lts <= 2.303.2
OR  
  Running on/with
  Jenkins 2.318 and prior versions cpe:2.3:a:jenkins:jenkins::*:*:*:- <= 2.318