CVE-2022-43430
HIGH7.1EPSS 4.4%XXE vulnerability in Jenkins Compuware Topaz for Total Test Plugin
發布日:2022/10/19修改日:2024/2/16
描述
Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to control the input files for the 'Topaz for Total Test - Execute Total Test scenarios' build step to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
受影響套件(1)
- Maven/com.compuware.jenkins:compuware-topaz-for-total-testfrom 0, < 2.4.9
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-43430
- PATCHhttps://github.com/jenkinsci/compuware-topaz-for-total-test-plugin
- WEBhttps://github.com/jenkinsci/compuware-topaz-for-total-test-plugin/commit/9ce24fb63fcdb94290340d2ec53f478635c416ab
- WEBhttps://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2625
- WEBhttp://www.openwall.com/lists/oss-security/2022/10/19/3