CVE-2015-1811

Vulnerability

Analysis

CVE-2015-1811 is an XML External Entity (XXE) vulnerability in CloudBees Jenkins (formerly Jenkins) versions prior to 1.600 and in the LTS line before 1.596.1 [1]. The root cause is improper handling of XML documents during processing, which allows an attacker to inject external entities that the XML parser will evaluate [2]. This issue was reported as SECURITY-167 in the Jenkins security advisory published on 2015-02-27 [3].

Exploitation

Exploitation is described as easy to mount, requiring only the ability to submit a crafted XML document to the Jenkins server [3]. The attack can be performed remotely without authentication, as the vulnerability exists in XML processing endpoints that accept user-supplied XML. The attacker crafts an XML payload that references a local file using an external entity, and the server's XML parser processes this entity, leaking file contents back to the attacker through the response or error messages.

Impact

Successful exploitation results in the exposure of sensitive information [3]. An attacker can read arbitrary XML files (and potentially other files if the parser supports other external entities) on the Jenkins controller's file system. This could leak credentials, configuration files, and other sensitive data that could lead to further compromise of the Jenkins instance and its connected systems.

Mitigation

Jenkins has addressed this vulnerability in versions 1.600 and later, and in LTS 1.596.1 and later [1]. Users should upgrade to patched versions immediately. Red Hat also released updated jenkins packages for Fedora 21 and 22 that include the fix [2]. No workarounds are documented; however, restricting access to XML processing endpoints and disabling external entity processing in XML parsers (if possible) could reduce risk until patching is completed.