CVE-2020-2284

Vulnerability

Overview

The Jenkins Liquibase Runner Plugin, version 1.4.5 and earlier, fails to configure its XML parser to disable XML external entity (XXE) processing [1][3]. This means that when the plugin parses XML input (e.g., Liquibase changelog files), it will process external entities defined within the XML document. The root cause is missing security hardening on the underlying XML parser, which is a common oversight in XML-consuming applications.

Exploitation

An attacker can craft a malicious XML file containing external entity references that point to local files or network resources. If a Jenkins user with the ability to configure or run builds (such as a developer with job configuration permissions) causes the Liquibase Runner Plugin to process this malicious XML—for example, by triggering a build step that reads a changelog file—the plugin will expand the external entities. No special authentication beyond having the necessary Jenkins permissions is required, and the attack can be performed over the network via Jenkins job configuration.

Impact

Successful exploitation allows the attacker to read arbitrary files on the Jenkins controller's file system (e.g., secrets or configuration files) via file-external entities, or to perform server-side request forgery (SSRF) via URL-based entities [1][2]. This can lead to information disclosure and potentially further lateral movement within the Jenkins environment.

Mitigation

The vulnerability is fixed in Liquibase Runner Plugin version 1.4.8 [2]. Users should upgrade to this version or later. No workarounds are available aside from updating the plugin. The advisory indicates that the fix involves properly disabling XML external entity processing in the parser configuration.