CVE-2022-28156

Vulnerability

Pipeline: Phoenix AutoTest Plugin versions 1.3 and earlier [1][2][3] contain a path traversal or arbitrary file read vulnerability. Attackers who have Item/Configure permission on a Jenkins job can exploit this by configuring the plugin to copy arbitrary files and directories from the Jenkins controller filesystem to the agent workspace during build execution.

Exploitation

An attacker must have Item/Configure permission on at least one Jenkins job [1]. They modify the plugin's configuration to specify arbitrary paths on the Jenkins controller (such as /etc/passwd or sensitive job workspace contents). When a build is triggered, the plugin copies those files from the controller to the agent workspace, where the attacker can access them [1]. No additional authentication or user interaction is required beyond having the requisite permission.

Impact

Successful exploitation allows the attacker to read arbitrary files and directories from the Jenkins controller filesystem [1][2]. This can lead to disclosure of sensitive information, including credentials stored in Jenkins configuration files, secret keys, source code, or other confidential data. The attacker gains access to this data at the permission level of the build agent, which is typically broader than what they would normally have.

Mitigation

As of the Jenkins Security Advisory 2022-03-29 [1], no fix was available for Pipeline: Phoenix AutoTest Plugin [2]. The plugin remains listed as having unresolved security issues. Users should restrict Item/Configure permission to trusted users only, or remove or disable the plugin if not strictly required. Monitor the Jenkins plugin update center for a future patched release.