VYPR
← All advisories
High severityNVD Advisory· Published Mar 29, 2022· Updated Oct 15, 2024

CVE-2022-28136

CVE-2022-28136

Description

CSRF in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier lets attackers connect to attacker-specified URLs with attacker-specified credentials.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CSRF in Jenkins JiraTestResultReporter Plugin 165.v817928553942 and earlier lets attackers connect to attacker-specified URLs with attacker-specified credentials.

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins JiraTestResultReporter Plugin versions 165.v817928553942 and earlier [1][2][4]. The plugin does not require a CSRF protection token for requests that trigger connections to attacker-controlled URLs, allowing an attacker to craft a malicious request that executes in the context of an authenticated Jenkins user.

Exploitation

An attacker with the ability to trick an authenticated Jenkins user into clicking a crafted link or visiting a malicious web page can exploit this vulnerability [1][4]. No additional authentication or privileges are required beyond the victim's session. The attacker does not need to be on the same network; the exploit can be delivered via social engineering.

Impact

Successful exploitation allows the attacker to make the Jenkins server connect to an attacker-specified URL using attacker-specified credentials [1][4]. This can lead to information disclosure if the target URL returns sensitive data, or potentially enable further attacks, such as credential harvesting or data exfiltration.

Mitigation

The vulnerability is fixed in JiraTestResultReporter Plugin version 166.v0cc6208295b5 and later, released on March 29, 2022 [2]. Users should upgrade to the latest version immediately. No workarounds are documented [1][2].

References
  1. Jenkins Security Advisory 2022-03-29
  2. security - Multiple vulnerabilities in Jenkins plugins
  3. NVD - CVE-2022-28136

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:JiraTestResultReporterMaven
< 166.v0cc6208295b5166.v0cc6208295b5

Affected products

2

Patches

1
0cc6208295b5

[SECURITY-2236]

https://github.com/jenkinsci/JiraTestResultReporter-pluginIldefonso MonteroMar 25, 2022via ghsa
commit
1 file changed · +3 0
  • src/main/java/org/jenkinsci/plugins/JiraTestResultReporter/JiraTestDataPublisher.java+3 0 modified
    @@ -46,6 +46,7 @@
 import org.kohsuke.stapler.Stapler;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.bind.JavaScriptMethod;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import javax.annotation.Nonnull;
 import java.io.IOException;
@@ -508,11 +509,13 @@ public TestDataPublisher newInstance(StaplerRequest req, JSONObject json) throws
          * @param password
          * @return
          */
+        @RequirePOST
         public FormValidation doValidateGlobal(@QueryParameter String jiraUrl,
                                                @QueryParameter String username,
                                                @QueryParameter String password
                                               ) {
 
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             String serverName;
             try {
                 new URL(jiraUrl);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

1