Arbitrary Command Execution Vulnerability in Jenkins Katalon Plugin by Jenkins
CVE-2022-43416

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Katalon Plugin
Vendor: CVE Published:; 19 October 2022

Summary

The Jenkins Katalon Plugin, up to version 1.0.32, allows attackers who can control agent processes to execute Katalon commands on the Jenkins controller with user-configured arguments. This flaw enables these attackers to specify arbitrary versions, installation locations, and arguments, potentially leading to unauthorized file creation or arbitrary OS command execution. Users with the 'Item/Configure' permission are particularly at risk as they could manipulate artifact archives, which heightens the security threat posed by this vulnerability.

Affected Version(s)

Jenkins Katalon Plugin <= 1.0.32

References

https://www.jenkins.io/security/advisory/2022-10-19/#SECU...

http://www.openwall.com/lists/oss-security/2022/10/19/3

mailing-list

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 19, 2022
Vulnerability Reserved
Oct 18, 2022