CVE-2022-28155

Vulnerability

Jenkins Pipeline: Phoenix AutoTest Plugin version 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This affects all builds using the plugin's XML parsing functionality. [1][2]

Exploitation

An attacker would need to provide a crafted XML file or data stream that contains an external entity reference. In typical Jenkins usage, this could be achieved by submitting a malicious XML artifact or by triggering a build that processes attacker-controlled XML content. The plugin's XML parser will then process the external entity during parsing. [1][2]

Impact

Successful exploitation could allow an attacker to read arbitrary files on the Jenkins controller, perform server-side request forgery (SSRF), or cause a denial of service (via entity expansion). The impact is limited to the Jenkins controller's file system and network access. [1][2]

Mitigation

As of the 2022-03-29 Jenkins security advisory, no fix was provided; the vulnerability remains unresolved. Users should consider disabling or removing the Pipeline: Phoenix AutoTest Plugin if not essential, or monitor for a patched version. [1][2]