Moderate severityNVD Advisory· Published Oct 19, 2022· Updated May 8, 2025
CVE-2022-43424
CVE-2022-43424
Description
Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.compuware.jenkins:compuware-xpediter-code-coverageMaven | < 1.0.8 | 1.0.8 |
Affected products
1- Range: unspecified
Patches
1e506fc9e77a2Merge pull request #16 from jenkinsci/bugfix/ZENG-253105-address-security-2627
https://github.com/jenkinsci/compuware-xpediter-code-coverage-pluginDave DresserMar 23, 2022via ghsa
1 file changed · +6 −15
src/main/java/com/compuware/jenkins/build/RemoteSystemProperties.java+6 −15 modified@@ -2,6 +2,7 @@ * The MIT License (MIT) * * Copyright (c) 2016, 2017 Compuware Corporation + * (c) Copyright 2016-2017, 2022 BMC Software, Inc. * * Permission is hereby granted, free of charge, to any person obtaining a copy of this software * and associated documentation files (the "Software"), to deal in the Software without restriction, @@ -18,28 +19,18 @@ */ package com.compuware.jenkins.build; -import hudson.remoting.Callable; import java.util.Properties; -import org.jenkinsci.remoting.RoleChecker; + +import jenkins.security.MasterToSlaveCallable; /** * Get remote system properties */ -public class RemoteSystemProperties implements Callable<Properties, RuntimeException> -{ +public class RemoteSystemProperties extends MasterToSlaveCallable<Properties, RuntimeException> { + private static final long serialVersionUID = -8859580651709239685L; - public Properties call() - { + public Properties call() { return System.getProperties(); } - - /* (non-Javadoc) - * @see org.jenkinsci.remoting.RoleSensitive#checkRoles(org.jenkinsci.remoting.RoleChecker) - */ - @Override - public void checkRoles(RoleChecker checker) - { - // Implementation required by interface, but not using - } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-mfcw-83qg-4vw3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43424ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/10/19/3ghsamailing-listWEB
- github.com/jenkinsci/compuware-xpediter-code-coverage-plugin/commit/e506fc9e77a2609f6a5aa331e052d35be652071cghsaWEB
- www.jenkins.io/security/advisory/2022-10-19/ghsaWEB
News mentions
0No linked articles in our index yet.