CVE-2023-28685

Jenkins AbsInt a³ Plugin versions 1.1.0 and earlier do not configure its XML parser to prevent XML external entity (XXE) attacks. This is a classic insecure parser configuration vulnerability where the XML processor is left with default settings that allow external entity resolution [1].

To exploit this, an attacker would need to provide a malicious XML file that is processed by the plugin. The attack surface is through any feature that ingests XML input; no special network position is required beyond being able to submit XML content to the Jenkins instance. No authentication is mentioned as a prerequisite, meaning the vulnerability could be triggered by any user who can interact with the plugin's XML parsing functionality [2].

Successful XXE exploitation can lead to disclosure of local files, denial of service, server-side request forgery (SSRF), and other impacts depending on how the XML parser is used. The advisory does not specify the exact impact beyond the vulnerability class, but typical XXE consequences include reading arbitrary files on the Jenkins controller or interacting with internal systems [1].

As of the advisory date (2023-03-21), no fixed version was announced for the AbsInt a³ Plugin. Users should consider disabling the plugin or restricting access to XML processing features until a patched version is released. The vulnerability was disclosed in the Jenkins Security Advisory [1].