CVE-2022-43422
Description
Jenkins Compuware Topaz Utilities Plugin ≤1.0.8 allows attackers controlling agent processes to read Java system properties from the controller via an unrestricted agent/controller message.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Compuware Topaz Utilities Plugin ≤1.0.8 allows attackers controlling agent processes to read Java system properties from the controller via an unrestricted agent/controller message.
Vulnerability
Overview
The Jenkins Compuware Topaz Utilities Plugin versions 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed. This design flaw allows attackers who are able to control agent processes to obtain the values of Java system properties from the Jenkins controller process [1][2].
Exploitation
An attacker must have the ability to control an agent process, for example by having agent access or compromising an agent node. The attacker can then send a crafted message to the controller to retrieve system properties. The message is not scoped to the agent's own context, enabling the extraction of controller-side properties without additional authentication [1].
Impact
Successful exploitation allows an attacker to read Java system properties from the Jenkins controller. These properties may contain sensitive information such as credentials, configuration secrets, or environment variables, potentially leading to further compromise of the Jenkins environment [1][2].
Mitigation
The vulnerability is fixed in Compuware Topaz Utilities Plugin version 1.0.9. Users should upgrade to this version or later. No workarounds are available [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.compuware.jenkins:compuware-topaz-utilitiesMaven | < 1.0.9 | 1.0.9 |
Affected products
2- Range: unspecified
Patches
1a91bae5fcfb1Merge pull request #14 from jenkinsci/bugfix/ZENG-253105-address-security-2620
1 file changed · +6 −15
src/main/java/com/compuware/jenkins/build/RemoteSystemProperties.java+6 −15 modified@@ -2,6 +2,7 @@ * The MIT License (MIT) * * Copyright (c) 2016, 2017 Compuware Corporation + * (c) Copyright 2016-2017, 2022 BMC Software, Inc. * * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation * files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, @@ -16,28 +17,18 @@ */ package com.compuware.jenkins.build; -import hudson.remoting.Callable; import java.util.Properties; -import org.jenkinsci.remoting.RoleChecker; + +import jenkins.security.MasterToSlaveCallable; /** * Get remote system properties */ -public class RemoteSystemProperties implements Callable<Properties, RuntimeException> -{ +public class RemoteSystemProperties extends MasterToSlaveCallable<Properties, RuntimeException> { + private static final long serialVersionUID = 1859119186947852696L; - public Properties call() - { + public Properties call() { return System.getProperties(); } - - /* (non-Javadoc) - * @see org.jenkinsci.remoting.RoleSensitive#checkRoles(org.jenkinsci.remoting.RoleChecker) - */ - @Override - public void checkRoles(RoleChecker checker) - { - // Implementation required by interface, but not using - } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-2x49-wj38-78q9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43422ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/10/19/3ghsamailing-listWEB
- github.com/jenkinsci/compuware-topaz-utilities-plugin/commit/a91bae5fcfb17d2d0af0c86c2870f10b2bb9c20aghsaWEB
- www.jenkins.io/security/advisory/2022-10-19/ghsaWEB
News mentions
0No linked articles in our index yet.