CVE-2022-43416 in Katalon Plugininfo

Summary

by MITRE • 10/19/2022

Jenkins Katalon Plugin 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments, allowing attackers able to control agent processes to invoke Katalon on the Jenkins controller with attacker-controlled version, install location, and arguments, and attackers additionally able to create files on the Jenkins controller (e.g., attackers with Item/Configure permission could archive artifacts) to invoke arbitrary OS commands.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/09/2025

The vulnerability identified as CVE-2022-43416 affects the Jenkins Katalon Plugin version 1.0.32 and earlier, presenting a critical security flaw that enables remote code execution on Jenkins controllers through compromised agent processes. This vulnerability stems from insufficient validation of message execution contexts within the plugin's agent/controller communication mechanism, allowing attackers to manipulate where and how Katalon commands are executed. The flaw specifically manifests when the plugin processes messages that permit configurable arguments, creating opportunities for attackers to execute arbitrary commands on the Jenkins controller system.

The technical implementation of this vulnerability involves the plugin's failure to properly validate or restrict the execution context of agent messages that can invoke Katalon with attacker-controlled parameters. When an attacker gains control of an agent process, they can leverage this flaw to execute Katalon commands on the Jenkins controller with arbitrary version specifications, installation locations, and command-line arguments. This design flaw directly violates the principle of least privilege and enables privilege escalation from agent-level access to controller-level command execution. The vulnerability is particularly dangerous because it allows attackers to create files on the controller filesystem, enabling further exploitation and persistence mechanisms.

The operational impact of CVE-2022-43416 extends beyond simple remote code execution, as it provides attackers with complete control over the Jenkins controller's file system and command execution capabilities. Attackers with minimal permissions such as Item/Configure access can exploit this vulnerability to archive artifacts and execute arbitrary operating system commands, effectively bypassing the normal security boundaries between agents and the controller. This vulnerability essentially allows attackers to perform actions that should be restricted to administrators or privileged users, including file creation, command execution, and potentially data exfiltration or system compromise. The attack vector is particularly concerning because it requires only agent-level compromise rather than direct controller access.

From a cybersecurity perspective, this vulnerability aligns with CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CWE-20 (Improper Input Validation) categories, demonstrating poor input sanitization and command execution handling. The flaw also maps to ATT&CK techniques including T1059.001 (Command and Scripting Interpreter: PowerShell) and T1078.004 (Valid Accounts: Cloud Accounts) when attackers leverage compromised agent processes to gain controller-level access. Organizations using Jenkins with the affected Katalon plugin should immediately implement mitigations including upgrading to version 1.0.33 or later, restricting agent permissions, and implementing network segmentation to limit agent access to sensitive controller functions. Additionally, security monitoring should be enhanced to detect unusual file creation patterns and command execution activities on Jenkins controllers that could indicate exploitation attempts.

Reservation

10/18/2022

Disclosure

10/19/2022

Moderation

accepted

CPE

ready

EPSS

0.01088

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!