Login Sign Up

CVE-2023-28680

7.5 HIGH
SSRF XXE

📋 TL;DR

The Jenkins Crap4J Plugin 0.9 and earlier contains an XML external entity (XXE) vulnerability due to improper XML parser configuration. This allows attackers to read arbitrary files from the Jenkins controller file system and potentially perform server-side request forgery (SSRF). All Jenkins instances using the vulnerable plugin versions are affected.

💻 Affected Systems

Products:
  • Jenkins Crap4J Plugin
Versions: 0.9 and earlier
Operating Systems: All platforms running Jenkins
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Jenkins installations with the Crap4J plugin installed and enabled.

📦 What is this software?

Crap4j by Jenkins

View all CVEs affecting Crap4j →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Jenkins controller file system, sensitive data exfiltration, and potential remote code execution through SSRF attacks.

🟠

Likely Case

Unauthorized file system access leading to credential theft, configuration exposure, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper network segmentation and file system permissions, though XXE vulnerabilities remain dangerous.

🌐 Internet-Facing: HIGH - Jenkins instances exposed to the internet are directly vulnerable to exploitation.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authentication to Jenkins, but standard XXE payloads work reliably.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.10

Vendor Advisory: https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-2925

Restart Required: Yes

Instructions:

1. Access Jenkins web interface as administrator. 2. Navigate to Manage Jenkins > Manage Plugins. 3. Update Crap4J Plugin to version 0.10 or later. 4. Restart Jenkins service.

🔧 Temporary Workarounds

Disable Crap4J Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

# Access Jenkins web UI > Manage Jenkins > Manage Plugins > Installed
# Find Crap4J Plugin and click 'Disable'

Remove Crap4J Plugin

all

Completely uninstall the vulnerable plugin

# Access Jenkins web UI > Manage Jenkins > Manage Plugins > Installed
# Find Crap4J Plugin and click 'Uninstall'

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Jenkins from sensitive systems
  • Apply strict file system permissions to limit what files Jenkins can access

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin manager for Crap4J Plugin version 0.9 or earlier

Check Version:

# From Jenkins web UI: Manage Jenkins > Manage Plugins > Installed > Crap4J Plugin

Verify Fix Applied:

Verify Crap4J Plugin version is 0.10 or later in plugin manager

📡 Detection & Monitoring

Log Indicators:

  • Unusual XML parsing errors in Jenkins logs
  • File access patterns from Jenkins process to sensitive locations

Network Indicators:

  • HTTP requests with XML payloads containing external entity references
  • Outbound connections from Jenkins to unexpected external systems

SIEM Query:

source="jenkins.log" AND ("XXE" OR "external entity" OR "DOCTYPE")

📊 Metadata

CVE ID: CVE-2023-28680
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-611
Published: April 2, 2023
Last Updated: February 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28680, you might also want to check these:

CVE-2022-22486 10.0

This CVE describes an XML External Entity (XXE) vulnerability in IBM Tivoli Workload Scheduler that ...

Same vulnerability type (CWE-611)
CVE-2025-30220 9.9

This XXE vulnerability in GeoServer's GeoTools Schema class allows attackers to read arbitrary files...

Same vulnerability type (CWE-611)
CVE-2023-27874 9.9

IBM Aspera Faspex 4.4.2 contains an XML external entity injection (XXE) vulnerability that allows au...

Same vulnerability type (CWE-611)