CVE-2018-1000012

Vulnerability

Jenkins Warnings Plugin versions 4.64 and earlier [1][2] fail to disable XML external entity (XXE) processing when parsing XML files as part of the build process. This allows an attacker to craft a malicious file that includes external entity references. The vulnerability affects any Jenkins instance where the plugin is installed and users can configure build steps that invoke the Warnings parser.

Exploitation

An attacker with user-level permissions on Jenkins (e.g., ability to configure jobs or submit XML files that are parsed by the plugin) can supply a specially crafted XML file containing external entity references. The plugin’s parser will then process these entities, potentially allowing the attacker to extract file contents from the Jenkins master filesystem, perform server-side request forgery (SSRF) against internal or external services, or trigger a denial-of-service (DoS) condition via entity expansion [1][2].

Impact

Successful exploitation can result in disclosure of sensitive secrets (e.g., credentials, tokens) stored on the Jenkins controller, SSRF enabling further attacks on internal networks, or resource exhaustion leading to DoS. The attacker does not require administrative privileges on Jenkins, only the ability to influence the XML content parsed by the plugin [1][2].

Mitigation

Jenkins fixed the vulnerability in Warnings Plugin version 4.65, released on 2018-01-22 [2]. Users should upgrade to version 4.65 or later. For any version earlier than 4.64, upgrading is the only recommended mitigation as the plugin processes user-supplied XML files. The fix disables external entity resolution in the XML parser [2]. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.