CVE-2022-43430
Description
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier is vulnerable to XXE attacks due to an unconfigured XML parser, allowing information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier is vulnerable to XXE attacks due to an unconfigured XML parser, allowing information disclosure.
Vulnerability
Overview
The Jenkins Compuware Topaz for Total Test Plugin, versions 2.4.8 and earlier, fails to configure its XML parser to disable XML external entity (XXE) processing [1][4]. This insecure parser configuration allows an attacker to inject malicious XML content that includes external entities, leading to an XXE vulnerability.
Exploitation
An attacker who can supply crafted XML input to the plugin's parser can exploit this vulnerability. The exact attack vector depends on how the plugin processes XML; typical scenarios involve job configuration or build steps that parse user-supplied XML data. No authentication is explicitly required beyond the ability to interact with the plugin's XML parsing functionality [2].
Impact
Successful exploitation enables an attacker to read arbitrary files from the Jenkins controller's file system, perform server-side request forgery (SSRF), or cause denial of service. The confidentiality impact is high, as sensitive files (e.g., credentials, configuration) could be exfiltrated [1][4].
Mitigation
The vulnerability is fixed in Compuware Topaz for Total Test Plugin version 2.4.9. Users should upgrade immediately. No workarounds are documented; the only remediation is to apply the updated plugin version [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.compuware.jenkins:compuware-topaz-for-total-testMaven | < 2.4.9 | 2.4.9 |
Affected products
2- Range: unspecified
Patches
19ce24fb63fcdSecurity 2625 fixed
1 file changed · +6 −0
src/main/java/com/compuware/jenkins/totaltest/TotalTestCTRunner.java+6 −0 modified@@ -323,6 +323,12 @@ else if (extension.compareTo(FILE_EXT_XAUNIT) == 0 || private Document getXaScenarioSuiteResultAsDocument(String xml) throws Exception //NOSONAR { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + dbf.setXIncludeAware(false); + dbf.setExpandEntityReferences(false); DocumentBuilder db = dbf.newDocumentBuilder(); Reader r = new StringReader(xml); return db.parse(new InputSource(r));
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-vhwv-8897-jm7qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43430ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/10/19/3ghsamailing-listWEB
- github.com/jenkinsci/compuware-topaz-for-total-test-plugin/commit/9ce24fb63fcdb94290340d2ec53f478635c416abghsaWEB
- www.jenkins.io/security/advisory/2022-10-19/ghsaWEB
News mentions
0No linked articles in our index yet.