CVE-2022-43423: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

October 19, 2022 (updated October 20, 2022)

Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.

References

www.openwall.com/lists/oss-security/2022/10/19/3
github.com/advisories/GHSA-682j-2p53-xp5f
nvd.nist.gov/vuln/detail/CVE-2022-43423
www.jenkins.io/security/advisory/2022-10-19/

Detect and mitigate CVE-2022-43423 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →