CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
52.5%
Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control the input files for the ‘Topaz for Total Test - Execute Total Test scenarios’ build step to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
www.openwall.com/lists/oss-security/2022/10/19/3
github.com/jenkinsci/compuware-topaz-for-total-test-plugin
github.com/jenkinsci/compuware-topaz-for-total-test-plugin/commit/9ce24fb63fcdb94290340d2ec53f478635c416ab
nvd.nist.gov/vuln/detail/CVE-2022-43430
www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2625