CVE-2022-28154 – This vulnerability in Jenkins Coverage/Complexi... (How to Fix)

Q: What is the severity of CVE-2022-28154?

CVE-2022-28154 has a CVSS score of 8.1 (HIGH). This vulnerability in Jenkins Coverage/Complexity Scatter Plot Plugin allows attackers to perform XML External Entity (XXE) attacks by exploiting improper XML parser configuration. Attackers can read arbitrary files from the Jenkins controller file system, potentially exposing sensitive data. All Jenkins instances using affected plugin versions are vulnerable.

📋 TL;DR

This vulnerability in Jenkins Coverage/Complexity Scatter Plot Plugin allows attackers to perform XML External Entity (XXE) attacks by exploiting improper XML parser configuration. Attackers can read arbitrary files from the Jenkins controller file system, potentially exposing sensitive data. All Jenkins instances using affected plugin versions are vulnerable.

💻 Affected Systems

Products:

Jenkins Coverage/Complexity Scatter Plot Plugin

Versions: 1.1.1 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: All Jenkins installations using the affected plugin versions are vulnerable regardless of configuration.

📦 What is this software?

Coverage\/complexity Scatter Plot by Jenkins

View all CVEs affecting Coverage\/complexity Scatter Plot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Jenkins controller with arbitrary file read, potentially exposing credentials, configuration files, and sensitive data stored on the server.

🟠

Likely Case

Unauthorized reading of sensitive files from Jenkins controller, potentially exposing credentials, SSH keys, or configuration data.

🟢

If Mitigated

Limited impact with proper network segmentation and file system permissions restricting access to sensitive files.

🌐 Internet-Facing: HIGH - Jenkins instances exposed to internet are directly vulnerable to XXE attacks from external attackers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability to escalate privileges or access sensitive data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires Jenkins user with Overall/Read permission. XXE attacks are well-documented and relatively easy to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.2

Vendor Advisory: https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-1899

Restart Required: Yes

Instructions:

1. Update Jenkins Coverage/Complexity Scatter Plot Plugin to version 1.1.2 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update. 3. Verify plugin version in Jenkins plugin management interface.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Coverage/Complexity Scatter Plot Plugin until patching is possible

Navigate to Jenkins > Manage Jenkins > Manage Plugins > Installed tab > Find plugin > Click 'Disable'

Restrict user permissions

all

Limit Overall/Read permissions to trusted users only to reduce attack surface

Navigate to Jenkins > Manage Jenkins > Manage and Assign Roles > Configure permissions to restrict Overall/Read

🧯 If You Can't Patch

Disable the Coverage/Complexity Scatter Plot Plugin completely
Implement strict network segmentation and firewall rules to limit access to Jenkins instances

🔍 How to Verify

Check if Vulnerable:

Check plugin version in Jenkins: Manage Jenkins > Manage Plugins > Installed tab > Search for 'Coverage/Complexity Scatter Plot Plugin'

Check Version:

Check Jenkins plugin directory or use Jenkins CLI: java -jar jenkins-cli.jar -s http://jenkins-url/ list-plugins | grep 'Coverage/Complexity Scatter Plot Plugin'

Verify Fix Applied:

Verify plugin version is 1.1.2 or later in Jenkins plugin management interface

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors in Jenkins logs
Multiple failed authentication attempts followed by XML processing requests
File read operations from unexpected locations

Network Indicators:

HTTP POST requests with XML payloads containing external entity declarations
Outbound connections from Jenkins to unexpected external servers

SIEM Query:

source="jenkins.log" AND ("XXE" OR "external entity" OR "DOCTYPE" OR "SYSTEM")

📊 Metadata

CVE ID: CVE-2022-28154

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-611

Published: March 29, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/03/29/1 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-1899 Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/03/29/1 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-1899 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28154, you might also want to check these: