Security Flaw in Jenkins Job Configuration History Plugin by Jenkins
CVE-2023-41933

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Job Configuration History Plugin
Vendor: CVE Published:; 6 September 2023

Summary

The Jenkins Job Configuration History Plugin version 1227.v7a_79fc4dc01f and earlier lacks proper configuration for its XML parser, making it prone to XML External Entity (XXE) attacks. This vulnerability allows attackers to exploit the XML parser to read sensitive files from the server or perform internal network requests. Ensuring that XML external entities are disabled in the parser configuration can mitigate the risks associated with this vulnerability.

Affected Version(s)

Jenkins Job Configuration History Plugin 0 <= 1227.v7a_79fc4dc01f

References

https://www.jenkins.io/security/advisory/2023-09-06/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/09/06/9

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 6, 2023
Vulnerability Reserved
Sep 5, 2023