CVE-2022-43417
Description
Jenkins Katalon Plugin 1.0.32 and earlier lacks permission checks, allowing attackers with Overall/Read to exfiltrate credentials via attacker-controlled URLs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Katalon Plugin 1.0.32 and earlier lacks permission checks, allowing attackers with Overall/Read to exfiltrate credentials via attacker-controlled URLs.
Vulnerability
Overview
CVE-2022-43417 affects the Jenkins Katalon Plugin versions 1.0.32 and earlier. The plugin fails to perform permission checks in several HTTP endpoints, enabling an attacker with only Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method [1][3]. This allows the attacker to capture credentials stored in Jenkins.
Exploitation
Prerequisites
To exploit this vulnerability, an attacker must have Overall/Read permission on the Jenkins instance, which is a low-privilege access level. Additionally, the attacker must obtain valid credentials IDs through a separate vulnerability or information disclosure [1][2]. Once these prerequisites are met, the attacker can craft requests to the vulnerable endpoints, causing the plugin to send stored credentials to an external URL under the attacker's control.
Impact
Successful exploitation results in the exfiltration of Jenkins credentials, which may include passwords, API tokens, or other secrets. These credentials can then be used to gain further unauthorized access to Jenkins or connected systems, potentially leading to a broader compromise of the CI/CD pipeline [1][3].
Mitigation
The vulnerability has been fixed in Katalon Plugin versions 1.0.33 and 1.0.34 [2]. Users are strongly advised to upgrade to one of these versions immediately. No workaround is documented; upgrading is the only recommended mitigation.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:katalonMaven | < 1.0.33 | 1.0.33 |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- github.com/advisories/GHSA-5fvg-h778-jjjxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43417ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/10/19/3ghsamailing-listWEB
- www.jenkins.io/security/advisory/2022-10-19/ghsaWEB
- www.jenkins.io/security/advisory/2022-10-19/mitre
News mentions
0No linked articles in our index yet.