CVE-2022-43423
Description
Jenkins Compuware Source Code Download plugin 2.0.12 and earlier allows attackers with agent control to read Java system properties from the controller, leading to information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Compuware Source Code Download plugin 2.0.12 and earlier allows attackers with agent control to read Java system properties from the controller, leading to information disclosure.
Vulnerability
Details CVE-2022-43423 affects Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin versions 2.0.12 and earlier [1]. The plugin implements an agent/controller message that does not restrict where it can be executed, allowing attackers who control agent processes to obtain Java system properties from the controller [4].
Exploitation
An attacker must have control over an agent process (e.g., via a compromised agent) to exploit this vulnerability. The message is processed without proper authorization, so no additional credentials are needed beyond agent access [1][2]. No user interaction is required.
Impact
Successful exploitation allows the attacker to read Java system properties from the Jenkins controller, which may contain sensitive data such as configuration secrets, passwords, or environment details, leading to information disclosure [4].
Mitigation
The vulnerability is patched in version 2.0.13 of the plugin [2]. Users should upgrade to this version or later. There are no reported workarounds.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.compuware.jenkins:compuware-scm-downloaderMaven | < 2.0.13 | 2.0.13 |
Affected products
2- Range: unspecified
Patches
1115f057078baMerge pull request #40 from jenkinsci/bugfix/ZENG-253105-address-security-2622
1 file changed · +7 −16
src/main/java/com/compuware/jenkins/scm/RemoteSystemProperties.java+7 −16 modified@@ -2,7 +2,8 @@ * The MIT License (MIT) * * Copyright (c) 2015 - 2018 Compuware Corporation - * + * (c) Copyright 2015-2018, 2022 BMC Software, Inc. + * * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation * files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, * modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the @@ -16,28 +17,18 @@ */ package com.compuware.jenkins.scm; -import hudson.remoting.Callable; import java.util.Properties; -import org.jenkinsci.remoting.RoleChecker; + +import jenkins.security.MasterToSlaveCallable; /** * Get remote system properties */ -public class RemoteSystemProperties implements Callable<Properties, RuntimeException> -{ +public class RemoteSystemProperties extends MasterToSlaveCallable<Properties, RuntimeException> { + private static final long serialVersionUID = -8859580651709239685L; - public Properties call() - { + public Properties call() { return System.getProperties(); } - - /* (non-Javadoc) - * @see org.jenkinsci.remoting.RoleSensitive#checkRoles(org.jenkinsci.remoting.RoleChecker) - */ - @Override - public void checkRoles(RoleChecker checker) - { - // Implementation required by interface, but not using - } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-682j-2p53-xp5fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43423ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/10/19/3ghsamailing-listWEB
- github.com/jenkinsci/compuware-scm-downloader-plugin/commit/115f057078baad506e2b34b74f4f0600f81990b3ghsaWEB
- www.jenkins.io/security/advisory/2022-10-19/ghsaWEB
News mentions
0No linked articles in our index yet.