ASA-2019-00098 – Jenkins: XML External Entity (XXE) vulnerability in Job Import Plugin

Job Import Plugin allows to import jobs from other Jenkins instances. As a first step in this process, Job Import Plugin sends a request to another Jenkins instance, parsing XML REST API output to obtain a list of jobs that could be imported. Job Import Plugin did not configure the XML parser in a way that would prevent XML External Entity (XXE) processing. This allowed attackers able to control either the server Jenkins will query, or the URL Jenkins queries, to have it parse a maliciously crafted XML response that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery (SSRF), or denial-of-service attacks.