CVE-2022-28145: 
Java vulnerability analysis and mitigation

CVE-2022-28145 is a high-severity vulnerability affecting the Jenkins Continuous Integration with Toad Edge Plugin versions 2.3 and earlier. The vulnerability was discovered and disclosed on March 29, 2022. The issue stems from the plugin using a patched fork of an old version of the file browser that removes Content-Security-Policy header functionality (Jenkins Advisory).

The vulnerability occurs because the plugin uses a modified version of the file browser for workspaces, archived artifacts, and userContent/ from Jenkins core (DirectoryBrowserSupport) to serve reports. This fork specifically removes the Content-Security-Policy header functionality that was originally introduced for SECURITY-95. The vulnerability has been assigned a High severity rating (Jenkins Advisory).

The vulnerability results in a stored cross-site scripting (XSS) vulnerability that can be exploited by attackers with Item/Configure permission or those who can control report contents. This could potentially allow attackers to execute malicious JavaScript code in the context of other users' browsers (Jenkins Advisory).

The vulnerability has been fixed in Continuous Integration with Toad Edge Plugin version 2.4, which now uses the built-in Jenkins file browser to serve reports. Users should upgrade to this version to mitigate the vulnerability. Some reports generated by this plugin rely on the ability to execute JavaScript, and users should consult the plugin's documentation for detailed explanations and options (Jenkins Advisory).