CVE-2022-36899

Vulnerability

Overview

The Jenkins Compuware ISPW Operations Plugin (now known as the BMC AMI DevX Code Pipeline Operations Plugin) in versions 1.0.8 and earlier does not properly restrict the execution of controller-to-agent messages. This flaw allows agent-side operations to be performed without adequate authorization checks on the controller, enabling a security bypass at the agent level [1][4].

Exploitation

Vector

An attacker who can control the behavior of a Jenkins agent process—for example, by compromising the agent machine or exploiting a separate vulnerability—can craft a malicious message intended for the controller. Because the plugin fails to restrict which operations can be invoked via such agent-originated messages, the attacker can leverage this to request sensitive JVM internal properties from the controller [1][4]. No additional authentication is required once the attacker has agent-level access, making this a medium-severity issue with a CVSS score not yet formally assessed by NVD [4].

Impact

Successful exploitation leads to the disclosure of Java system properties from the Jenkins controller. These properties can reveal configuration details, environment variables, file paths, and other internal state information that might aid an attacker in further compromising the Jenkins instance or its connected systems [1].

Mitigation

The vulnerability is fixed in Compuware ISPW Operations Plugin version 1.0.9, released as part of the July 27, 2022 Jenkins security advisory [1][2]. Users are strongly advised to upgrade to this version or later. No workarounds are documented; upgrading is the recommended action.