CVE-2022-43416: 
Java vulnerability analysis and mitigation

CVE-2022-43416 affects the Jenkins Katalon Plugin versions 1.0.32 and earlier. The vulnerability was discovered and disclosed on October 19, 2022, impacting Jenkins installations version 2.318 and earlier, LTS 2.303.2 and earlier. This high-severity vulnerability (CVSS 8.8) affects the agent/controller message implementation in the plugin (Jenkins Advisory, NVD).

The vulnerability exists in the agent/controller message implementation that does not properly limit where it can be executed and allows invoking Katalon with configurable arguments. The issue allows attackers with control over agent processes to invoke Katalon on the Jenkins controller with attacker-controlled version, install location, and arguments. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) (NVD).

Attackers who can control agent processes can invoke Katalon on the Jenkins controller with attacker-controlled parameters. Furthermore, if attackers have additional capabilities to create files on the Jenkins controller (such as Item/Configure permission to archive artifacts), they can execute arbitrary OS commands. This creates a significant security risk for affected Jenkins installations (Jenkins Advisory).

The vulnerability has been fixed in Katalon Plugin version 1.0.33, which changes the message type to controller-to-agent, preventing execution on the controller. Organizations should upgrade to this version or later to mitigate the vulnerability (Jenkins Advisory).