CVE-2022-41241

The Jenkins RQM Plugin (versions 2.8 and earlier) does not configure its XML parser to disable XML external entity (XXE) processing [1][2]. This is a classic XXE vulnerability where the parser, when handling XML input, will attempt to resolve and include external entities defined in the Document Type Definition (DTD) without restriction. The root cause is the lack of secure parser settings, such as disabling DTDs or external entity expansion, which should be standard practice for any plugin that processes user-supplied XML [2].

Exploitation of this vulnerability requires that an attacker be able to provide malicious XML data to the RQM Plugin. On a Jenkins controller, this could be achieved by a user with the ability to create or modify job configurations that trigger the plugin's XML parsing, or by any means that allows injecting XML into the processing pipeline. No special authentication beyond a Jenkins account with appropriate permissions is typically needed; the attacker would send a crafted XML payload containing an external entity reference pointing to a local file (e.g., /etc/passwd) or an internal URL [1][2]. The plugin does not mitigate this by disabling entity resolution.

If successfully exploited, a remote attacker could read arbitrary files on the Jenkins controller's filesystem that are accessible to the Jenkins process, potentially exposing sensitive configuration, credentials, or source code. Additionally, the XXE could be leveraged to perform server-side request forgery (SSRF) attacks against internal network resources, scanning or interacting with services behind the firewall. The confidentiality and integrity of the system are directly at risk [1][2].

As of the advisory publication on 2022-09-21, no fix was released for the RQM Plugin; the advisory notes that the plugin is deprecated or has no planned update [1]. Users are advised to either remove the plugin if it is not needed, or to ensure that the Jenkins controller is not accessible to untrusted users who could supply malicious XML input. No workaround within the plugin itself is available [1][2].