CVE-2022-43415
Description
Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins REPO Plugin 1.15.0 and earlier does not disable XML external entity processing, allowing attackers to read arbitrary files or perform SSRF attacks.
Vulnerability
Overview
Jenkins REPO Plugin up to version 1.15.0 fails to properly configure its XML parser to prevent XML External Entity (XXE) attacks [1][2]. This means that when the plugin processes XML input (likely from SCM manifests or other XML sources), it does not disable the resolution of external entities defined in the XML document.
Attack
Vector
An attacker capable of providing a malicious XML file to the plugin can craft an XML payload containing an external entity that references a local file or an internal network resource. This could be achieved by tricking a Jenkins administrator or user with SCM configuration privileges into using a crafted manifest repository. The attack does not require authentication if the plugin's XML processing occurs in an unauthenticated context [3].
Impact
Successful exploitation allows the attacker to read arbitrary files from the Jenkins controller file system (e.g., credentials, configuration files) or perform server-side request forgery (SSRF) against internal services, potentially leading to further compromise of the Jenkins environment [1][3].
Mitigation
The vulnerability is fixed in REPO Plugin version 1.16.0. Users should upgrade immediately. There is no workaround other than updating the plugin. Jenkins has published a security advisory detailing the fix [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:repoMaven | < 1.16.0 | 1.16.0 |
Affected products
3- Range: <=1.15.0
- Range: unspecified
Patches
11 file changed · +2 −8
src/main/java/hudson/plugins/repo/RevisionState.java+2 −8 modified@@ -38,12 +38,11 @@ import java.util.logging.Logger; import javax.annotation.Nullable; -import javax.xml.parsers.DocumentBuilderFactory; +import jenkins.util.xml.XMLUtils; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.NodeList; -import org.xml.sax.InputSource; /** * A RevisionState records the state of the repository for a particular build. @@ -86,12 +85,7 @@ class RevisionState extends SCMRevisionState implements Serializable { this.branch = branch; this.file = file; try { - final InputSource xmlSource = new InputSource(); - xmlSource.setCharacterStream(new StringReader(manifest)); - final Document doc = - DocumentBuilderFactory.newInstance().newDocumentBuilder() - .parse(xmlSource); - + final Document doc = XMLUtils.parse(new StringReader(manifest)); if (!doc.getDocumentElement().getNodeName().equals("manifest")) { if (logger != null) { logger.println("Error - malformed manifest");
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-2w2m-ccf8-57cqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43415ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/10/19/3ghsamailing-listWEB
- github.com/jenkinsci/repo-plugin/commit/4c4a72c7de3d3e5bbbad223605ea264dcec56bc1ghsaWEB
- www.jenkins.io/security/advisory/2022-10-19/ghsaWEB
News mentions
0No linked articles in our index yet.