CVE-2022-43434
Jenkins NeuVector Vulnerability Scanner Plugin Remote File Inclusion
Description
Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
INFO
Published Date :
Oct. 19, 2022, 4:15 p.m.
Last Modified :
May 8, 2025, 7:15 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | [email protected] | ||||
| CVSS 3.1 | MEDIUM | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
Solution
- Update Jenkins plugins to the following versions: - 360 FireLine Plugin: See vendor advisory - Compuware Source Code Download for Endevor, PDS, and ISPW Plugin to version 2.0.13 or later - Compuware Strobe Measurement Plugin: See vendor advisory - Compuware Topaz for Total Test Plugin: See vendor advisory - Compuware Topaz Utilities Plugin to version 1.0.9 or later - Compuware Xpediter Code Coverage Plugin to version 1.0.8 or later - Contrast Continuous Application Security Plugin to version 3.10 or later - Custom Checkbox Parameter Plugin: See vendor advisory - Generic Webhook Trigger Plugin to version 1.84.2 or later - GitLab Plugin to version 1.5.36 or later - Job Import Plugin to version 3.6 or later - Katalon Plugin to version 1.0.34 or later - Mercurial Plugin to version 1260.vdfb_723cdcc81 or later - NeuVector Vulnerability Scanner Plugin: See vendor advisory - NUnit Plugin to version 0.28 or later - Pipeline: Deprecated Groovy Libraries Plugin to version 588.v576c103a_ff86 or later - Pipeline: Groovy Libraries Plugin: See vendor advisory - Pipeline: Groovy Plugin to version 2803.v1a_f77ffcc773 or later - Pipeline: Input Step Plugin to version 456.vd8a_957db_5b_e9 or later - Pipeline: Stage View Plugin to version 2.27 or later - Pipeline: Supporting APIs Plugin to version 839.v35e2736cfd5c or later - REPO Plugin to version 1.16.0 or later - S3 Explorer Plugin: See vendor advisory - ScreenRecorder Plugin: See vendor advisory - Script Security Plugin to version 1184.v85d16b_d851b_3 or later - Tuleap Git Branch Source Plugin to version 3.2.5 or later - XFramium Builder Plugin: See vendor advisory See vendor advisory for more details.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2022-43434.
| URL | Resource |
|---|---|
| http://www.openwall.com/lists/oss-security/2022/10/19/3 | Mailing List Third Party Advisory |
| https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2865 | Vendor Advisory |
| http://www.openwall.com/lists/oss-security/2022/10/19/3 | Mailing List Third Party Advisory |
| https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2865 | Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2022-43434 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2022-43434
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2022-43434 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2022-43434 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
May. 08, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Added CWE CWE-693 -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2022/10/19/3 Added Reference https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2865 -
CVE Modified by [email protected]
May. 14, 2024
Action Type Old Value New Value -
Modified Analysis by [email protected]
Nov. 22, 2023
Action Type Old Value New Value Added CWE NIST NVD-CWE-noinfo -
CVE Modified by [email protected]
Oct. 25, 2023
Action Type Old Value New Value Removed CWE Jenkins Project CWE-693 -
Initial Analysis by [email protected]
Oct. 24, 2022
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Changed Reference Type http://www.openwall.com/lists/oss-security/2022/10/19/3 No Types Assigned http://www.openwall.com/lists/oss-security/2022/10/19/3 Mailing List, Third Party Advisory Changed Reference Type https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2865 No Types Assigned https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2865 Vendor Advisory Added CPE Configuration OR *cpe:2.3:a:jenkins:neuvector_vulnerability_scanner:*:*:*:*:*:jenkins:*:* versions up to (including) 1.20 -
CVE Modified by [email protected]
Oct. 19, 2022
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2022/10/19/3 [No Types Assigned]
Vulnerability Scoring Details
Base CVSS Score: 5.3
Exploit Prediction
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.
0.21 }} 0.06%
score
0.42977
percentile