CVE-2022-28140: XXE vulnerability in Jenkins Flaky Test Handler Plugin
8.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.92287%
CWE
Published
3/30/2022
Updated
1/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:flaky-test-handler | maven | < 1.2.2 | 1.2.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The commit diff shows critical security features were added to the SAXReader
in FlakySuiteResult.parse()
: disallow-doctype-decl, and disabling external entities. The absence of these configurations in vulnerable versions directly allows XXE exploitation. The method's purpose (XML parsing of test reports) and the patched fixes align with XXE mitigation patterns. FlakyTestResult.java
changes only reflect exception handling updates due to the new security checks, not the vulnerability itself.