CVE-2022-28148: 
Java vulnerability analysis and mitigation

CVE-2022-28148 is a path traversal vulnerability discovered in the Continuous Integration with Toad Edge Plugin for Jenkins. The vulnerability affects versions 2.3 and earlier of the plugin, which was disclosed on March 29, 2022. The issue exists in a patched fork of an old version of the file browser for workspaces, archived artifacts, and userContent from Jenkins core (DirectoryBrowserSupport) that is used to serve reports (Jenkins Advisory).

The vulnerability stems from the plugin using a forked version of Jenkins core's DirectoryBrowserSupport that did not receive the fix for SECURITY-2481 in Jenkins 2.315 and LTS 2.303.2. The severity is rated as Medium according to CVSS scoring. The vulnerability specifically affects Windows-based Jenkins controllers (Jenkins Advisory).

The vulnerability allows attackers with Item/Read permission to obtain the contents of arbitrary files on Windows controllers through path traversal (Jenkins Advisory).

The vulnerability has been fixed in Continuous Integration with Toad Edge Plugin version 2.4, which uses the built-in Jenkins file browser to serve reports, inheriting the security fix from Jenkins core when running on a recent enough version. Users should upgrade to version 2.4 or later to mitigate this vulnerability (Jenkins Advisory).