PT-2022-18854 · Jenkins · Jenkins Pipeline: Phoenix Autotest Plugin+1
Jeff Thompson
·
Published
2022-03-29
·
Updated
2023-11-03
·
CVE-2022-28155
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Pipeline: Phoenix AutoTest Plugin versions 1.3 and earlier
Description
The issue is related to the Phoenix AutoTest Plugin not configuring its XML parser to prevent XML external entity (XXE) attacks. This allows attackers who can control the input files for the
readXml or writeXml build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.Recommendations
For Jenkins Pipeline: Phoenix AutoTest Plugin versions 1.3 and earlier, consider disabling the
readXml and writeXml build steps until a patch is available to prevent XML external entity attacks. Restrict access to these build steps to minimize the risk of exploitation.Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Pipeline: Phoenix Autotest Plugin