CVE-2022-36894: 
Java vulnerability analysis and mitigation

CLIF Performance Testing Plugin version 64.vc0d66de1dfb_f and earlier contains a high severity vulnerability (CVE-2022-36894) that was discovered and reported by Brian Hysell from Synopsys Software Integrity Group. The vulnerability was disclosed on July 27, 2022, affecting the Jenkins automation server plugin. This security issue allows attackers with Overall/Read permission to perform arbitrary file writes on the Jenkins controller file system (Jenkins Advisory).

The vulnerability stems from the plugin's failure to validate file paths when extracting files from an archive. This implementation flaw allows extraction of files without proper path validation, enabling attackers to write files to arbitrary locations on the Jenkins controller file system. The vulnerability has been assigned a severity rating of High according to the CVSS scoring system (Jenkins Advisory).

When exploited, this vulnerability allows attackers with Overall/Read permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content. This level of file system access could potentially lead to system compromise, data manipulation, or service disruption (Jenkins Advisory).

At the time of the security advisory's publication, no fix was available for this vulnerability. Organizations using the affected versions of CLIF Performance Testing Plugin should assess their risk and consider implementing additional security controls to restrict access to the plugin's functionality (Jenkins Advisory).