CVE-2020-2108

The Jenkins WebSphere Deployer Plugin up to version 1.6.1 does not disable XML external entity (XXE) processing when parsing XML input. This flaw allows an attacker to exploit the XML parser by injecting malicious external entities, leading to information disclosure or server-side request forgery (SSRF) [1][3].

Exploitation requires a user to have Job/Configure permissions on a Jenkins instance. The attacker can craft a job configuration or other XML payload that includes an external entity reference. When the plugin processes this XML, the parser resolves the entity, potentially exfiltrating file contents or making network requests from the Jenkins controller [1].

The impact of a successful XXE attack includes reading arbitrary files on the Jenkins controller (e.g., credentials, configuration files), performing SSRF attacks against internal services, or causing a denial of service through entity expansion. The vulnerability is rated with a CVSS score that reflects the potential for high confidentiality impact [3].

As of the advisory publication date (2020-01-29), no fix was available for the WebSphere Deployer Plugin. The Jenkins security advisory lists this as an unresolved issue [1][2]. Users are advised to restrict Job/Configure permissions to trusted users or consider disabling the plugin if it is not essential. The plugin's repository does not indicate a patched release [4].