CVE-2022-28155: 
Java vulnerability analysis and mitigation

Jenkins Pipeline: Phoenix AutoTest Plugin version 1.3 and earlier contains a critical XML External Entity (XXE) vulnerability identified as CVE-2022-28155. The vulnerability was discovered and disclosed on March 29, 2022. This security flaw affects the plugin's XML parsing functionality, specifically in the readXml and writeXml build steps (Jenkins Advisory, OSS Security).

The vulnerability stems from the plugin's failure to properly configure its XML parser to prevent XML external entity (XXE) attacks. The issue specifically affects the readXml and writeXml build steps in the plugin. The severity of this vulnerability is rated as High according to CVSS scoring system (Jenkins Advisory).

When exploited, this vulnerability allows attackers who can control the input files for the readXml or writeXml build steps to have Jenkins parse crafted files that use external entities. This can lead to the extraction of secrets from the Jenkins controller or enable server-side request forgery attacks (Jenkins Advisory).

As of the advisory's publication date on March 29, 2022, no fix was available for this vulnerability. Users of the Pipeline: Phoenix AutoTest Plugin version 1.3 and earlier should be aware of the risk and consider implementing additional security controls to prevent unauthorized access to the affected build steps (Jenkins Advisory).