Allele Security Alert
ASA-2019-00098, SECURITY-905, CVE-2019-1003015
XML External Entity (XXE) vulnerability in Job Import Plugin
Job Import Plugin up to and including 2.1
Job Import Plugin version 3.0
Proof of concept
Job Import Plugin allows to import jobs from other Jenkins instances. As a first step in this process, Job Import Plugin sends a request to another Jenkins instance, parsing XML REST API output to obtain a list of jobs that could be imported.
Job Import Plugin did not configure the XML parser in a way that would prevent XML External Entity (XXE) processing. This allowed attackers able to control either the server Jenkins will query, or the URL Jenkins queries, to have it parse a maliciously crafted XML response that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery (SSRF), or denial-of-service attacks.
Thomas Chauchefoin (Synacktiv) and Julien Szlamowicz (Synacktiv)
Jenkins Security Advisory 2019-01-28
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019