XXE vulnerability in Jenkins REPO Plugin

GHSA-2w2m-ccf8-57cq · CVE-2022-43415

Published Oct 19, 2022 · Modified Feb 16, 2024

Description

REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control which repo binary is executed on agents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

REPO Plugin 1.16.0 disables external entity resolution for its XML parser.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-43415
WEB https://github.com/jenkinsci/repo-plugin/commit/4c4a72c7de3d3e5bbbad223605ea264dcec56bc1
PACKAGE https://github.com/jenkinsci/repo-plugin
WEB https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2337
WEB http://www.openwall.com/lists/oss-security/2022/10/19/3

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes