Jenkins Katalon Plugin 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments.

It allows attackers able to control agent processes to invoke Katalon on the Jenkins controller with attacker-controlled version, install location, and arguments. Attackers additionally able to create files on the Jenkins controller (e.g., attackers with Item/Configure permission could archive artifacts) can invoke arbitrary OS commands.

Katalon Plugin 1.0.33 changes the message type to controller-to-agent, preventing execution on the controller.

Affected Packages

Maven org.jenkins-ci.plugins:katalon

Affected versions: 0 (fixed in 1.0.33)

Related CVEs

CVE-2022-43416

Key Information

GHSA ID

GHSA-q6f6-6c4p-xph4

Published

October 19, 2022 7:00 PM

Last Modified

October 27, 2023 8:55 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:katalon

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.