CVE-2022-45400

Vulnerability

Overview

Jenkins JAPEX Plugin 1.7 and earlier does not properly configure its XML parser to prevent XML external entity (XXE) attacks [1][2][3]. This means that when the plugin processes XML data, it can expand external entities defined in the XML document, leading to information disclosure and server-side request forgery (SSRF).

Exploitation

Details

An attacker with the ability to provide a malicious XML file to the JAPEX Plugin (e.g., as part of a job configuration or build parameter) can craft an XXE payload. The attack requires no special authentication beyond being able to interact with the plugin's XML parsing functionality; in a default Jenkins setup, any authenticated user with job creation or configuration permissions might be able to trigger the vulnerability [1][2]. The plugin does not mitigate XXE by disabling DOCTYPE declarations or external entity resolution.

Impact

Successful exploitation allows an attacker to read arbitrary files from the Jenkins controller's file system (e.g., credentials, secrets, configuration files) or to perform SSRF attacks against internal network resources [1][3]. This can lead to further compromise of the Jenkins infrastructure or adjacent systems.

Mitigation

Jenkins has not released a patched version of the JAPEX Plugin; the advisory notes that the issue remains unresolved as of November 2022 [1][2]. Administrators are advised to either remove or disable the plugin if it is not essential, or to restrict access to XML parsing features of the plugin via Jenkins' authorization mechanisms until a fix is provided.