CVE-2023-28682

Vulnerability

Overview Jenkins Performance Publisher Plugin versions 8.09 and earlier do not properly configure their XML parser to disable XML external entity (XXE) processing [1]. This omission means that when the plugin parses XML data (such as performance report files), it will resolve external entities defined within the XML document, including those referencing external resources or files on the server file system.

Exploitation

Prerequisites To exploit this vulnerability, an attacker must be able to supply a specially crafted XML file to the plugin, typically as part of a build step or job configuration that the PerfPublisher plugin processes. No special authentication is required beyond the ability to provide XML input that the plugin parses. The attack can be carried out by any user with permission to configure or run jobs that use the plugin, or by tricking an administrator into processing malicious XML.

Impact

If exploited, the XXE vulnerability could allow an attacker to read arbitrary files from the Jenkins controller's file system, perform server-side request forgery (SSRF) attacks, or cause denial of service. In some configurations, XXE may also lead to remote code execution if combined with other features, though the primary risk is information disclosure and SSRF [2][3].

Mitigation

Jenkins has addressed this vulnerability in Performance Publisher Plugin version 8.10 by properly disabling external entity processing in the XML parser [1]. Users are strongly advised to upgrade to this version or later. No workarounds other than upgrading have been identified.