VYPR
← All advisories
Critical severityNVD Advisory· Published Jan 24, 2023· Updated Apr 2, 2025

CVE-2023-24441

CVE-2023-24441

Description

Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins MSTest Plugin 1.0.0 and earlier has an XXE vulnerability due to an unsecured XML parser, allowing attackers to read arbitrary files or perform SSRF.

Vulnerability

Description

Jenkins MSTest Plugin versions 1.0.0 and earlier does not disable XML external entity (XXE) processing in its XML parser, leaving it vulnerable to XXE attacks. The plugin uses DocumentBuilderFactory without configuring features that prevent external entity inclusion, such as disallow-doctype-decl or external-general-entities [1][2]. This oversight allows an attacker to craft a malicious XML file that, when parsed by the plugin, can reference external entities.

Exploitation

Exploitation requires an attacker to provide or control a file that the plugin's XML parser processes. In Jenkins environments, this could be a test result file or configuration data submitted via the plugin's functionality. No authentication is strictly necessary beyond the ability to trigger the plugin's parsing of XML content, though typical setups may require some level of Jenkins access. The attack can be launched remotely over the network [1].

Impact

Successful exploitation allows an attacker to read arbitrary files on the Jenkins controller file system, such as secrets or configuration files, or perform server-side request forgery (SSRF) by causing the controller to make requests to internal or external systems. This could lead to further compromise of the Jenkins environment and connected infrastructure [1][3].

Mitigation

The vulnerability is fixed in MSTest Plugin version 1.0.1, released January 24, 2023. The fix adds explicit parser configuration to disable DTDs and external entities, as seen in the commit [2]. Users are advised to upgrade to version 1.0.1 or later. No workaround is available [4].

References
  1. Jenkins Security Advisory 2023-01-24
  2. Fix CVE-2023-24441 preventing XXE attacks (#20) · jenkinsci/mstest-plugin@f9b9b0c
  3. NVD - CVE-2023-24441
  4. Release mstest-plugin v1.0.1 · jenkinsci/mstest-plugin

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jvnet.hudson.plugins:mstestMaven
< 1.0.11.0.1

Affected products

1

Patches

1
f9b9b0cbdf75

Fix CVE-2023-24441 preventing XXE attacks (#20)

https://github.com/jenkinsci/mstest-pluginIvan PavlovicJun 16, 2023via ghsa
commit
3 files changed · +33 1
  • src/main/java/hudson/plugins/mstest/MSTestReportConverter.java+15 0 modified
    @@ -8,6 +8,7 @@
 import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.List;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -113,6 +114,14 @@ private void convertToEmma(File f, File c)
     private boolean containsData(File c) throws IOException {
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
         try {
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+
             DocumentBuilder builder = factory.newDocumentBuilder();
             Document doc = builder.parse(c);
             XPathFactory xPathfactory = XPathFactory.newInstance();
@@ -148,6 +157,12 @@ private DocumentBuilder getDocumentBuilder()
         throws TransformerFactoryConfigurationError,
         ParserConfigurationException {
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
         return factory.newDocumentBuilder();
     }
  • src/main/java/hudson/plugins/mstest/XslTransformer.java+5 0 modified
    @@ -4,6 +4,7 @@
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import javax.xml.XMLConstants;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerConfigurationException;
 import javax.xml.transform.TransformerException;
@@ -22,12 +23,16 @@ class XslTransformer {
     XslTransformer()
         throws TransformerConfigurationException {
         TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
         xslTransformer = transformerFactory.newTransformer();
     }
 
     private XslTransformer(String xslTransform)
         throws TransformerConfigurationException {
         TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
         xslTransformer = transformerFactory
             .newTransformer(new StreamSource(this.getClass().getResourceAsStream(xslTransform)));
     }
  • src/test/java/hudson/plugins/mstest/MSTestReportConverterTest.java+13 1 modified
    @@ -4,6 +4,9 @@
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStreamReader;
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.Result;
 import javax.xml.transform.Source;
 import javax.xml.transform.Transformer;
@@ -29,10 +32,19 @@
 public class MSTestReportConverterTest {
 
     @Before
-    public void setUp() {
+    public void setUp() throws ParserConfigurationException {
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+
         XMLUnit.setIgnoreWhitespace(true);
         XMLUnit.setNormalizeWhitespace(true);
         XMLUnit.setIgnoreComments(true);
+        XMLUnit.setControlDocumentBuilderFactory(factory);
     }
 
     @Test

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

1