CVE-2022-45397

An attacker can exploit the missing XXE protection by providing a crafted XML file to the plugin's XML parser. The payload contains an external entity reference that points to a local file (e.g., /etc/passwd) or an internal network resource. When the plugin parses the malicious XML, the parser resolves the external entity and discloses the file content or performs a server-side request forgery (SSRF) attack. No authentication is required if the plugin exposes an unauthenticated endpoint that accepts XML input.

The advisory states that Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. The patch [patch_id=1641182] only suspends the plugin from the Jenkins update center; it does not include any source-code fix for the XXE vulnerability itself. No specific function or file path within the plugin is shown in the supplied bundle.

The patch [patch_id=1641182] does not fix the XXE vulnerability in the plugin's source code. Instead, it adds the plugin identifier `osf-builder-suite-xml-linter` to the `resources/artifact-ignores.properties` file, which suspends the plugin from the Jenkins update center. This prevents new installations but does not remediate existing installations. A proper fix would require configuring the XML parser to disable external entity processing (e.g., by setting `XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES` to false).