High severityNVD Advisory· Published Sep 6, 2023· Updated Sep 26, 2024

CVE-2023-41933

Description

Jenkins Job Configuration History Plugin ≤1227.v7a_79fc4dc01f is vulnerable to XXE due to unsafe XML parser configuration, allowing file read or SSRF when combined with a path traversal.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Job Configuration History Plugin ≤1227.v7a_79fc4dc01f is vulnerable to XXE due to unsafe XML parser configuration, allowing file read or SSRF when combined with a path traversal.

Vulnerability

Overview Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to disable XML external entity (XXE) processing [1][4]. This vulnerability is paired with a path traversal flaw (CVE-2023-41932) that allows an attacker to reach endpoints processing attacker-controlled XML data [1].

Exploitation

An attacker with Job Config History/DeleteEntry permission can exploit the path traversal to include malicious XML files, which are then parsed without XXE protection [1][2]. No additional authentication is required beyond the base plugin permission, making the issue exploitable by low-privileged users.

Impact

Successful XXE exploitation can lead to reading arbitrary files on the Jenkins controller file system or conducting server-side request forgery (SSRF) attacks, potentially compromising sensitive data or internal services [1][4].

Mitigation

The Jenkins project released version 1229.v3039470161a_d of the Job Configuration History Plugin, which fixes the XXE vulnerability by properly configuring the XML parser [1][2]. Users are advised to update immediately.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:jobConfigHistoryMaven	< 1229.v3039470161a_d	1229.v3039470161a_d

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/jobConfigHistory
Range: < 1229.v3039470161a_d
Jenkins Project/Job Configuration History Plugincpe-rescue
Range: 0

Patches

3039470161ad

[SECURITY-3235]

https://github.com/jenkinsci/job-config-history-pluginAndrea ChieraAug 24, 2023via ghsa

commit

2 files changed · +22 −3

src/main/java/hudson/plugins/jobConfigHistory/FileHistoryDao.java+14 −2 modified

@@ -618,7 +618,13 @@ private int countSubDirs(File[] files) {
     public XmlFile getOldRevision(final AbstractItem item,
                                   final String identifier) {
         final File configFile = item.getConfigFile().getFile();
-        final File historyDir = new File(getHistoryDir(configFile), identifier);
+        final File historyDirFromConfigFile = getHistoryDir(configFile);
+        final File historyDir = new File(historyDirFromConfigFile, identifier);
+
+        if(!fileIsContainedInDirectory(historyDir, historyDirFromConfigFile)) {
+            return new XmlFile(null);
+        }
+
         if (PluginUtils.isMavenPluginAvailable()
                 && item instanceof MavenModule) {
             final String path = historyDir
@@ -1338,8 +1344,14 @@ public void saveNode(final Node node) {
 
     @Override
     public XmlFile getOldRevision(final Node node, final String identifier) {
-        final File historyDir = new File(getHistoryDirForNode(node),
+        final File historyDirForNode = getHistoryDirForNode(node);
+        final File historyDir = new File(historyDirForNode,
                 identifier);
+
+        if(!fileIsContainedInDirectory(historyDir, historyDirForNode)) {
+            return new XmlFile(null);
+        }
+
         return new XmlFile(getConfigFile(historyDir));
     }

src/main/java/hudson/plugins/jobConfigHistory/JobConfigHistoryBaseAction.java+8 −1 modified

@@ -51,6 +51,7 @@
 import org.xmlunit.diff.ElementSelectors;
 
 import javax.servlet.ServletException;
+import javax.xml.XMLConstants;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactory;
@@ -89,7 +90,13 @@
 public abstract class JobConfigHistoryBaseAction implements Action {
 
     private static final Logger LOG = Logger.getLogger(JobConfigHistoryBaseAction.class.getName());
-    private final TransformerFactory transformerFactory = TransformerFactory.newInstance();
+    private final TransformerFactory transformerFactory;
+
+    public JobConfigHistoryBaseAction() {
+        transformerFactory = TransformerFactory.newInstance();
+        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+    }
 
     @Override
     public String getDisplayName() {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-ghjw-fcf6-rpr9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-41933ghsaADVISORY
www.jenkins.io/security/advisory/2023-09-06/ghsavendor-advisoryWEB
www.openwall.com/lists/oss-security/2023/09/06/9ghsaWEB
github.com/jenkinsci/job-config-history-plugin/commit/3039470161ada86f4091c75fc779ebfdb69f3210ghsaWEB

News mentions

Jenkins Security Advisory 2023-09-06
Jenkins Security Advisories · Sep 6, 2023

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000