CVE-2023-28683

Vulnerability

Description

The Jenkins Phabricator Differential Plugin, up to and including version 2.1.5, does not disable XML external entity (XXE) processing in its XML parser. This is a classic XXE vulnerability, caused by the parser being configured to allow the inclusion and processing of external entities defined in the XML source [1].

Exploitation

An attacker can exploit this by providing a maliciously crafted XML payload to the plugin. Since the plugin processes XML without proper parser hardening, a remote, unauthenticated attacker can submit XML that defines an external entity pointing to a local file or an internal network resource [2]. The plugin's specific functionality for handling differential data makes it a viable vector for XXE injection.

Impact

Successfully exploiting this XXE vulnerability could allow an attacker to read arbitrary files on the Jenkins controller, such as secrets or configuration files. In some scenarios, leveraging XXE can also lead to server-side request forgery (SSRF) attacks, allowing the attacker to probe internal network services [3]. The Jenkins Security Advisory rates the overall severity as Medium [1].

Mitigation

The vulnerability has been addressed by the Jenkins project. Users should upgrade the Phabricator Differential Plugin to a version that properly disables XXE processing. As of the advisory publication on March 21, 2023, a fixed version is available, and no workaround other than updating the plugin is recommended [1].