CVE-2022-45395

The Jenkins CCCC Plugin (up to version 0.6) fails to securely configure its XML parser, allowing XML External Entity (XXE) attacks [1]. This vulnerability arises because the plugin does not disable external entity processing or DTD loading in the XML parser, enabling attackers to exploit the parser's behavior [2].

An attacker with the ability to supply a crafted XML file—for example, by uploading a malicious configuration to a Jenkins project—can exploit this vulnerability. No special privileges are required beyond typical Jenkins job configuration access, making the attack surface significant for environments where untrusted users can create or modify jobs [1]. The plugin's default configuration does not enforce secure parsing, leaving it exposed.

Successful exploitation can lead to information disclosure, as the attacker may read arbitrary files on the Jenkins controller host (e.g., secrets, credentials, configuration files) via external entities. It may also enable server-side request forgery (SSRF) attacks against internal network resources, potentially compromising additional services [2].

As of the Jenkins Security Advisory published on November 15, 2022, no fix has been released for the CCCC Plugin [1]. Administrators are advised to either disable the plugin or restrict its use to trusted users. The plugin's source code is available on GitHub [4], but no patched version has been provided. Monitoring for updates from the Jenkins project is recommended.