1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-3235

[JENKINS:SECURITY-3235] Path traversal allows exploiting XXE vulnerability in `jobConfigHistory`

Severity High
Affected Packages 2
Fixed Packages 2
CVEs 2
Info Packages References Vulnerabilities

jobConfigHistory 1227.v7a_79fc4dc01f and earlier does not restrict timestamp query parameters in multiple endpoints.
This allows attackers with Job Config History/DeleteEntry permission to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called history.xml.

Additionally, jobConfigHistory 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Item/Configure permission to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

jobConfigHistory 1229.v3039470161a_d restricts timestamp query parameters in the affected endpoints, and disables external entity resolution for its XML parser.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/jobConfigHistory <= 1227.v7a_79fc4dc01f
pkg:github/jenkinsci/jobconfighistory-plugin <= 1227.v7a_79fc4dc01f
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/jobConfigHistory = 1229.v3039470161a_d
pkg:github/jenkinsci/jobconfighistory-plugin = 1229.v3039470161a_d
ID
JENKINS:SECURITY-3235
Severity
high
Published
2023-09-06T00:00:00
(12 months ago)
Modified
2023-09-06T00:00:00
(12 months ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository jobConfigHistory repository https://github.com/jenkinsci/jobConfigHistory-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/jobConfigHistory org.jenkins-ci.plugins jobConfigHistory <= 1227.v7a_79fc4dc01f
Fixed pkg:maven/org.jenkins-ci.plugins/jobConfigHistory org.jenkins-ci.plugins jobConfigHistory = 1229.v3039470161a_d
Affected pkg:github/jenkinsci/jobconfighistory-plugin jenkinsci jobconfighistory-plugin <= 1227.v7a_79fc4dc01f
Fixed pkg:github/jenkinsci/jobconfighistory-plugin jenkinsci jobconfighistory-plugin = 1229.v3039470161a_d
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date