Miggo Logo

CVE-2022-28140: XXE vulnerability in Jenkins Flaky Test Handler Plugin

8.1

CVSS Score
3.1

Basic Information

EPSS Score
0.92287%
Published
3/30/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:flaky-test-handlermaven< 1.2.21.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows critical security features were added to the SAXReader in FlakySuiteResult.parse(): disallow-doctype-decl, and disabling external entities. The absence of these configurations in vulnerable versions directly allows XXE exploitation. The method's purpose (XML parsing of test reports) and the patched fixes align with XXE mitigation patterns. FlakyTestResult.java changes only reflect exception handling updates due to the new security checks, not the vulnerability itself.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *l*ky T*st **n*l*r Plu*in *.*.* *n* **rli*r *o*s not *on*i*ur* its XML p*rs*r to pr*v*nt XML *xt*rn*l *ntity (XX*) *tt**ks.

Reasoning

T** *ommit *i** s*ows *riti**l s**urity ***tur*s w*r* ***** to t** `S*XR****r` in `*l*kySuit*R*sult.p*rs*()`: *is*llow-*o*typ*-***l, *n* *is**lin* *xt*rn*l *ntiti*s. T** **s*n** o* t**s* *on*i*ur*tions in vuln*r**l* v*rsions *ir**tly *llows XX* *xplo