CVE-2022-34793

Vulnerability

Description

The Jenkins Recipe Plugin, versions 1.2 and earlier, does not configure its XML parser to disable XML external entity (XXE) processing. This oversight means that when the plugin parses XML data, it can resolve external entities defined within the XML document, a classic XXE vulnerability [1][2].

Exploitation

Conditions

An attacker would need the ability to supply a crafted XML file to the Recipe Plugin. Since Jenkins often handles user-provided configuration files or imported data, a malicious XML payload could be uploaded or posted to a Jenkins instance that uses the affected plugin. The attacker does not require prior authentication if the plugin processes untrusted input from unauthenticated users, though the specific attack vector depends on how the plugin ingests XML [1].

Impact

Successful exploitation allows an attacker to read arbitrary files from the Jenkins server's file system, perform server-side request forgery (SSRF), or in some configurations, cause denial of service. An XXE attack could also lead to information disclosure, potentially exposing sensitive configuration data or credentials stored on the server [2].

Mitigation

Users should upgrade the Recipe Plugin to version 1.3 or later, which includes a fix that disables XXE processing by default. Administrators who cannot immediately upgrade should review the plugin's XML processing logic and apply workarounds such as restricting plugin usage or implementing additional input validation [1].