CVE-2022-28157
Description
Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller via FTP to an attacker-specified FTP server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller via FTP to an attacker-specified FTP server.
Vulnerability
The Pipeline: Phoenix AutoTest Plugin (versions 1.3 and earlier) for Jenkins contains a missing permission check vulnerability. Attackers who have obtained the Item/Configure permission can use the plugin's FTP functionality to upload arbitrary files from the Jenkins controller's filesystem to an attacker-controlled FTP server. This affects all versions up to and including 1.3 [1][2][3].
Exploitation
An attacker must have Item/Configure permission on a Jenkins job that uses the Phoenix AutoTest Plugin. The attacker can then craft a pipeline step, such as phoenixFtp, specifying an arbitrary file from the Jenkins controller as the source and an attacker-controlled FTP server as the destination. When the pipeline executes, the plugin will read the specified file and transfer it to the remote FTP server [1][3][4].
Impact
Successful exploitation allows an attacker to exfiltrate arbitrary files from the Jenkins controller filesystem, including sensitive configuration files, credentials, and other secrets. This can lead to further compromise of the Jenkins environment and any systems integrated with it [1][2][3].
Mitigation
As of the publication date (2022-03-29), no fixed version of the Pipeline: Phoenix AutoTest Plugin has been released, and the vulnerability remains unresolved [1][2]. Users are advised to restrict Item/Configure permission to trusted users, monitor for any suspicious FTP traffic from the Jenkins controller, and consider removing or disabling the plugin if it is not required [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.surenpi.jenkins:phoenix-autotestMaven | <= 1.3 | — |
Affected products
2- Jenkins project/Jenkins Pipeline: Phoenix AutoTest Pluginv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-62hc-f8qj-5xc3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-28157ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/03/29/1ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2022-03-29/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-03-29Jenkins Security Advisories · Mar 29, 2022