CVE-2022-28148
Description
Path traversal in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Item/Read permission to read arbitrary files on Windows controllers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Path traversal in Jenkins Continuous Integration with Toad Edge Plugin 2.3 and earlier allows attackers with Item/Read permission to read arbitrary files on Windows controllers.
Vulnerability
The file browser in Jenkins Continuous Integration with Toad Edge Plugin versions 2.3 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability. This affects all versions before 2.4 on Windows controllers.
Exploitation
An attacker must have Item/Read permission in Jenkins and be able to navigate the file browser to a path that is interpreted as absolute on Windows. By exploiting the path traversal, the attacker can browse outside the intended directory and read arbitrary files.
Impact
An attacker with Item/Read permission can obtain the contents of arbitrary files on Windows controllers, leading to information disclosure. This could expose sensitive configuration data, credentials, or other confidential information stored on the controller filesystem.
Mitigation
Continuous Integration with Toad Edge Plugin version 2.4, released on 2022-03-29, fixes this vulnerability [1][2]. Users should upgrade to 2.4 or later. As a workaround, administrators can revoke Item/Read permission from users who do not need it. No EOL status or KEV listing is mentioned in the available references.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:ci-with-toad-edgeMaven | < 2.4 | 2.4 |
Affected products
2- Jenkins project/Jenkins Continuous Integration with Toad Edge Pluginv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-mc92-c859-jr66ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-28148ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/03/29/1ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2022-03-29/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-03-29Jenkins Security Advisories · Mar 29, 2022