CVE-2022-28154

Name of the Vulnerable Software and Affected Versions Jenkins Coverage/Complexity Scatter Plot Plugin versions 1.1.1 and earlier

Description The issue allows attackers to control input files for the 'Public Coverage / Complexity Scatter Plot' post-build step, enabling them to have Jenkins parse a crafted file that uses external entities. This can lead to extraction of secrets from the Jenkins controller or server-side request forgery due to the XML parser not being configured to prevent XML external entity (XXE) attacks.

Recommendations For Jenkins Coverage/Complexity Scatter Plot Plugin versions 1.1.1 and earlier, as a temporary workaround, consider disabling the 'Public Coverage / Complexity Scatter Plot' post-build step until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.