[JENKINS:SECURITY-2844] Agent-to-controller security bypass vulnerability in `katalon`
katalon 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments.
It allows attackers able to control agent processes to invoke Katalon on the Jenkins controller with attacker-controlled version, install location, and arguments.
Attackers additionally able to create files on the Jenkins controller (e.g., attackers with Item/Configure permission could archive artifacts) can invoke arbitrary OS commands.
NOTE: This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
See the link:/doc/upgrade-guide/2.303/#upgrading-to-jenkins-lts-2-303-3[LTS upgrade guide].
katalon 1.0.33 changes the message type to controller-to-agent, preventing execution on the controller.
| Package | Affected Version |
|---|---|
 pkg:maven/org.jenkins-ci.plugins/katalon
|
<= 1.0.32 |
 pkg:github/jenkinsci/katalon-plugin
|
<= 1.0.32 |
| Package | Fixed Version |
|---|---|
|
pkg:maven/org.jenkins-ci.plugins/katalon
|
= 1.0.33 |
|
pkg:github/jenkinsci/katalon-plugin
|
= 1.0.33 |
- ID
- JENKINS:SECURITY-2844
- Severity
- high
- Published
-
2022-10-19T00:00:00
(23 months ago) - Modified
-
2022-10-19T00:00:00
(23 months ago) - Rights
- Jenkins Security Team
- Other Advisories
MAVEN:GHSA-Q6F6-6C4P-XPH4| Source | # ID | Name | URL |
|---|---|---|---|
| Plugin repository | katalon repository |
|
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:maven/org.jenkins-ci.plugins/katalon | org.jenkins-ci.plugins |
katalon
|
<= 1.0.32 | |||
| Fixed | pkg:maven/org.jenkins-ci.plugins/katalon | org.jenkins-ci.plugins |
katalon
|
= 1.0.33 | |||
| Affected | pkg:github/jenkinsci/katalon-plugin | jenkinsci |
katalon-plugin
|
<= 1.0.32 | |||
| Fixed | pkg:github/jenkinsci/katalon-plugin | jenkinsci |
katalon-plugin
|
= 1.0.33 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |