#java

Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.13 restricts execution of the agent/controller message to agents.

Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. Compuware Xpediter Code Coverage Plugin 1.0.8 restricts execution of the agent/controller message to agents.

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.

Jenkins Katalon Plugin 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments, allowing attackers able to control agent processes to invoke Katalon on the Jenkins controller with attacker-controlled version, install location, and arguments, and attackers additionally able to create files on the Jenkins controller (e.g., attackers with Item/Configure permission could archive artifacts) to invoke arbitrary OS commands. Katalon Plugin 1.0.33 changes the message type to controller-to-agent, preventing execution on the controller.

Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. Compuware Topaz Utilities Plugin 1.0.9 restricts execution of the agent/controller message to agents.

Categories: Exploits and vulnerabilities Categories: News Tags: Log4Text Tags: Apache Tags: Commons Text Tags: CVE-2022-42889 Tags: Log4j Tags: Log4Shell Tags: interpolators Log4Text is a recently found vulnerability in Apache Commons. Log4Text provoked a knee jerk reaction because it reminds us of Log4Shell. So should we worry? (Read more...) The post Why Log4Text is not another Log4Shell appeared first on Malwarebytes Labs.

### Impact _What kind of vulnerability is it? Who is impacted?_ All users of the `run-terraform` reusable workflow from the kartverket/github-workflows repo are affected. A malicious actor could potentially send a PR with a malicious payload leading to execution of arbitrary JavaScript code in the context of the workflow. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Upgrade to at least 2.7.5 to resolve the issue. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Until you are able to upgrade, make sure to review any PRs from exernal users for malicious payloads before allowing them to trigger a build. ### For more information If you have any questions or comments about this advisory: * Open an issue in [kartverket/github-workflows](https://github.com/kartverket/github-workflows)

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the email parameter in the Check Email function.

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the indexFile component.

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the joborderID parameter.