VYPR
← All advisories
High severityNVD Advisory· Published Oct 19, 2022· Updated May 8, 2025

CVE-2022-43428

CVE-2022-43428

Description

Jenkins Compuware Topaz for Total Test Plugin ≤2.4.8 allows agents to read Java system properties from the controller via an unrestricted agent/controller message.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Compuware Topaz for Total Test Plugin ≤2.4.8 allows agents to read Java system properties from the controller via an unrestricted agent/controller message.

CVE-2022-43428 is a vulnerability in the Jenkins Compuware Topaz for Total Test Plugin (formerly BMC AMI DevX Total Test Plugin) versions 2.4.8 and earlier. The plugin implements an agent/controller message that does not restrict where it can be executed, allowing a compromised or malicious agent to execute this message on the Jenkins controller [1][4]. The issue lies in the lack of proper authorization or location validation for the message handling, contrary to the principle that controller-bound messages should only be executable on the controller side [1].

To exploit this vulnerability, an attacker must first have control over an agent process in the Jenkins environment. This could occur if the attacker already has access to an agent node or can trick an administrator into running a malicious script on an agent that triggers the message. The attacker does not need any additional permissions on the controller itself, as the vulnerability bypasses normal access controls by using the agent's ability to send messages to the controller [1][2]. The exploit leverages the existing agent-controller communication channel without requiring authentication beyond what the agent already has.

The impact is that an attacker who controls an agent process can obtain the values of Java system properties from the Jenkins controller process. This includes sensitive information such as environment variables, configuration settings, or credentials that are stored in system properties. The disclosure of such data could lead to further compromise of the Jenkins instance or connected systems [1][4]. The vulnerability is classified with a CVSS v3 score of 6.5 (Medium) according to the Jenkins advisory, though NVD has not yet assigned a severity [1][4].

The vulnerability is fixed in Compuware Topaz for Total Test Plugin version 2.4.9 and later, as recommended in the Jenkins Security Advisory 2022-10-19 [1][2]. Users should update to the latest version of the plugin. No workaround is documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the advisory date [1]. The affected plugin was also known as the "BMC AMI DevX Total Test Plugin" and is hosted on GitHub for reference [3].

References
  1. Jenkins Security Advisory 2022-10-19
  2. security - Multiple vulnerabilities in Jenkins plugins
  3. GitHub - jenkinsci/compuware-topaz-for-total-test-plugin: Jenkins Plugin for BMC AMI DevX Total Test
  4. NVD - CVE-2022-43428

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.compuware.jenkins:compuware-topaz-for-total-testMaven
< 2.4.92.4.9

Affected products

2

Patches

1
5fca6eb21599

SECURITY-2624:Arbitrary file read vulnerability due to empty role check (#52)

https://github.com/jenkinsci/compuware-topaz-for-total-test-pluginAjay AsatiDec 9, 2022via ghsa
commit
2 files changed · +10 29
  • src/main/java/com/compuware/jenkins/totaltest/RemoteSystemProperties.java+4 14 modified
    @@ -2,6 +2,7 @@
  * The MIT License (MIT)

  * 

  * Copyright (c) 2015 - 2018 Compuware Corporation

+ * (c) Copyright 2020-2022 BMC Software, Inc.

  * 

  * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation

  * files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy,

@@ -19,27 +20,16 @@
 

 import java.util.Properties;

 

-import org.jenkinsci.remoting.RoleChecker;

-

-import hudson.remoting.Callable;

+import jenkins.security.MasterToSlaveCallable;

 

 /**

  * Get remote system properties

  */

-public class RemoteSystemProperties implements Callable<Properties, RuntimeException>

+public class RemoteSystemProperties extends MasterToSlaveCallable<Properties, RuntimeException>

 {

 	private static final long serialVersionUID = -8859580651709239685L;

 

-	public Properties call()

-	{

+	public Properties call() {

 		return System.getProperties();

 	}

-

-	/* (non-Javadoc)

-	 * @see org.jenkinsci.remoting.RoleSensitive#checkRoles(org.jenkinsci.remoting.RoleChecker)

-	 */

-	@Override

-	public void checkRoles(RoleChecker checker) throws SecurityException

-	{

-	}

 }
  • src/main/java/com/compuware/jenkins/totaltest/TotalTestRunnerUtils.java+6 15 modified
    @@ -2,7 +2,7 @@
  * The MIT License (MIT)
  * 
  * Copyright (c) 2015-2020 Compuware Corporation
- * (c) Copyright 2019-2020 BMC Software, Inc.
+ * (c) Copyright 2019-2020 & 2020-2022BMC Software, Inc.
  * 
  * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation
  * files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy,
@@ -26,14 +26,16 @@
 import java.nio.file.Paths;
 import java.util.Collections;
 import java.util.List;
+
 import org.apache.commons.lang.StringUtils;
-import org.jenkinsci.remoting.RoleChecker;
+
 import com.cloudbees.plugins.credentials.CredentialsProvider;
 import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
 import com.cloudbees.plugins.credentials.domains.DomainRequirement;
 import com.cloudbees.plugins.credentials.matchers.IdMatcher;
 import com.compuware.jenkins.common.configuration.CpwrGlobalConfiguration;
 import com.compuware.jenkins.common.utils.CLIVersionUtils;
+
 import hudson.FilePath;
 import hudson.FilePath.FileCallable;
 import hudson.Launcher;
@@ -42,6 +44,7 @@
 import hudson.model.TaskListener;
 import hudson.remoting.VirtualChannel;
 import hudson.security.ACL;
+import jenkins.MasterToSlaveFileCallable;
 import jenkins.model.Jenkins;
 
 public class TotalTestRunnerUtils
@@ -504,13 +507,9 @@ public static boolean isMinimumRelease (final Launcher launcher, final TaskListe
 	 * @see hudson.FilePath#act(FileCallable)
 	 * 
 	 */
-	public static class GetRemoteUTF8FileContents implements FileCallable<String> {
+	public static class GetRemoteUTF8FileContents extends MasterToSlaveFileCallable<String> {
 		private static final long serialVersionUID = 1L;
 		
-		/*
-		 * (non-Javadoc)
-		 * @see hudson.FileCallable#invoke(File file, hudson.VirtualChannel channel)
-		 */
 		@Override
 		public String invoke(File file, VirtualChannel channel) throws IOException, InterruptedException {
 			String retVal = null;
@@ -522,14 +521,6 @@ public String invoke(File file, VirtualChannel channel) throws IOException, Inte
 			return retVal;
 		}
 
-		/*
-		 * (non-Javadoc)
-		 * @see org.jenkinsci.remoting.RoleChecker#checkRoles(hudson.RoleChecker arg0l)
-		 */
-		@Override
-		public void checkRoles(RoleChecker arg0) throws SecurityException {
-			// TODO Auto-generated method stub
-		}
 	}
 
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.