GHSA-vhwv-8897-jm7q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vhwv-8897-jm7q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-vhwv-8897-jm7q/GHSA-vhwv-8897-jm7q.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vhwv-8897-jm7q
- Aliases
-
- CVE-2022-43430
- Published
- 2022-10-19T19:00:18Z
- Modified
- 2024-02-16T08:23:42.093776Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
- Summary
- XXE vulnerability in Jenkins Compuware Topaz for Total Test Plugin
- Details
-
Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control the input files for the 'Topaz for Total Test - Execute Total Test scenarios' build step to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
- Database specific
{ "nvd_published_at": "2022-10-19T16:15:00Z", "cwe_ids": [ "CWE-611" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-10-19T21:22:06Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-43430
- https://github.com/jenkinsci/compuware-topaz-for-total-test-plugin/commit/9ce24fb63fcdb94290340d2ec53f478635c416ab
- https://github.com/jenkinsci/compuware-topaz-for-total-test-plugin
- https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2625
- http://www.openwall.com/lists/oss-security/2022/10/19/3
Affected packages
Maven / com.compuware.jenkins:compuware-topaz-for-total-test
Package
- Name
- com.compuware.jenkins:compuware-topaz-for-total-test
- View open source insights on deps.dev
- Purl
- pkg:maven/com.compuware.jenkins/compuware-topaz-for-total-test
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.4.9