First published: Tue Mar 29 2022(Updated: )
Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier allows attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller via FTP to an attacker-specified FTP server.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
maven/com.surenpi.jenkins:phoenix-autotest | <=1.3 | |
Jenkins Pipeline | <=1.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-28157 is classified as a high severity vulnerability due to the potential for attackers to upload arbitrary files to an FTP server.
To fix CVE-2022-28157, upgrade to Phoenix AutoTest Plugin version 1.4 or later.
Users of Jenkins with the Phoenix AutoTest Plugin versions 1.3 and earlier are affected by CVE-2022-28157.
An attacker needs Item/Configure permissions to exploit CVE-2022-28157.
CVE-2022-28157 allows attackers to upload arbitrary files from the Jenkins controller to an external FTP server.