PT-2022-4018 · Compuware+1 · Jenkins Compuware Ispw Operations Plugin+1
Published
2022-07-27
·
Updated
2023-11-02
·
CVE-2022-36899
CVSS v2.0
8.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:C/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Compuware ISPW Operations Plugin versions 1.0.8 and earlier
Description
The issue is related to the Jenkins Compuware ISPW Operations Plugin, which does not restrict the execution of a controller/agent message to agents. This allows attackers who can control agent processes to retrieve Java system properties. The vulnerability can be exploited by attackers to gain unauthorized access to system configuration information.
Recommendations
For Jenkins Compuware ISPW Operations Plugin versions 1.0.8 and earlier, update to version 1.0.9 or later, which does not allow the affected controller/agent message to be submitted by agents for execution on the controller. As a temporary workaround, consider restricting access to the controller/agent message to prevent exploitation.
Fix
Protection Mechanism Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Compuware Ispw Operations Plugin