VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 29, 2022· Updated Aug 3, 2024

CVE-2022-28137

CVE-2022-28137

Description

Missing permission check in Jenkins JiraTestResultReporter Plugin allows attackers with Overall/Read to connect to attacker-specified URL using attacker-specified credentials.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing permission check in Jenkins JiraTestResultReporter Plugin allows attackers with Overall/Read to connect to attacker-specified URL using attacker-specified credentials.

Vulnerability

The Jenkins JiraTestResultReporter Plugin versions 165.v817928553942 and earlier [1] [2] lack a permission check in an HTTP endpoint. Attackers with Overall/Read permission (a low-privilege role) can specify an attacker-controlled URL and credentials, and the plugin will initiate a connection to that URL using those credentials [1] [2].

Exploitation

An attacker who has been granted the Overall/Read permission on a Jenkins instance can craft a request to the plugin's endpoint. They provide a URL and credentials of their choice; no additional authentication or user interaction is required [1]. The plugin then attempts to connect to the supplied URL with the supplied credentials.

Impact

By exploiting this vulnerability, an attacker can make the Jenkins server connect to an arbitrary external URL using attacker-provided credentials. This can be used for data exfiltration, probing internal networks, or leveraging Jenkins's network location for further attacks, although the attacker already has Overall/Read access [1] [2].

Mitigation

The vulnerability is fixed in JiraTestResultReporter Plugin version 166.v0cc6208295b5, released on March 29, 2022 [2]. Users should upgrade to this version or later. No workarounds are provided by the vendor.

References
  1. Jenkins Security Advisory 2022-03-29
  2. security - Multiple vulnerabilities in Jenkins plugins

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:JiraTestResultReporterMaven
< 166.v0cc6208295b5166.v0cc6208295b5

Affected products

2

Patches

1
0cc6208295b5

[SECURITY-2236]

https://github.com/jenkinsci/JiraTestResultReporter-pluginIldefonso MonteroMar 25, 2022via ghsa
commit
1 file changed · +3 0
  • src/main/java/org/jenkinsci/plugins/JiraTestResultReporter/JiraTestDataPublisher.java+3 0 modified
    @@ -46,6 +46,7 @@
 import org.kohsuke.stapler.Stapler;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.bind.JavaScriptMethod;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import javax.annotation.Nonnull;
 import java.io.IOException;
@@ -508,11 +509,13 @@ public TestDataPublisher newInstance(StaplerRequest req, JSONObject json) throws
          * @param password
          * @return
          */
+        @RequirePOST
         public FormValidation doValidateGlobal(@QueryParameter String jiraUrl,
                                                @QueryParameter String username,
                                                @QueryParameter String password
                                               ) {
 
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             String serverName;
             try {
                 new URL(jiraUrl);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

1