Subject: CVE-2024-23897 Jenkins XML External Entity (XXE) Vulnerability
Tech Stack:
Date Issued:
- Original Date: 2024-01-24
- Last Modified Date: 2024-01-24
Criticality:
- Severity: High
- Description: This vulnerability allows remote attackers to exploit Jenkins XML parsers to read files on the server, potentially leading to sensitive information disclosure.
Overview:
- CVE-2024-23897 is an XML External Entity (XXE) vulnerability in Jenkins. It occurs because Jenkins XML parsers do not properly configure XMLInputFactory to disable external entities. This allows an attacker to craft XML data that, when parsed by Jenkins, can read files on the Jenkins server or execute external HTTP requests, leading to information disclosure and potentially remote code execution.
Attack Mechanisms:
- XXE Injection:
- An attacker sends specially crafted XML data to Jenkins.
- File Read/Information Disclosure:
- The XML parser processes the data, allowing the attacker to read sensitive files on the server.
- External Requests:
- The attacker can potentially force the server to make HTTP requests to external or internal services, leading to information disclosure or further exploitation.
Affected Systems:
Mitigation Solution:
- Upgrade: Upgrade to the latest version of Jenkins that has patched this vulnerability. Refer to the Jenkins Security Advisory for the fixed versions.
- Configuration Changes: Ensure that XMLInputFactory instances in custom plugins and other components are configured to disable external entity resolution.
- Security Best Practices: Regularly review and update Jenkins and its plugins. Implement security best practices, such as securing access to Jenkins, using least privilege principles, and conducting regular security audits.
References: