CVE-2022-28140: 
Java vulnerability analysis and mitigation

The Jenkins Flaky Test Handler Plugin version 1.2.1 and earlier contains a high-severity XML External Entity (XXE) vulnerability identified as CVE-2022-28140. This vulnerability was discovered and reported by Jeff Thompson from CloudBees, Inc., and was publicly disclosed on March 29, 2022. The affected component is the XML parser within the Flaky Test Handler Plugin, which is used in Jenkins continuous integration environments (Jenkins Advisory).

The vulnerability stems from an improperly configured XML parser that does not prevent XML external entity (XXE) attacks. The issue has been assigned a severity rating of High according to the CVSS scoring system. The vulnerability specifically affects the XML parsing functionality within the Flaky Test Handler Plugin versions 1.2.1 and earlier (Jenkins Advisory).

The vulnerability allows attackers with Item/Configure permission to exploit the XML parser by crafting malicious files that use external entities. This can lead to two primary attack vectors: extraction of secrets from the Jenkins controller and server-side request forgery (SSRF) attacks (Jenkins Advisory).

The vulnerability has been fixed in Flaky Test Handler Plugin version 1.2.2, which disables external entity resolution for its XML parser. Users are advised to update to this version to mitigate the vulnerability. The fix prevents the processing of external entities in XML files, effectively blocking XXE attacks (Jenkins Advisory).