CVE-2023-28682
📋 TL;DR
The Jenkins Performance Publisher Plugin 8.09 and earlier contains an XML external entity (XXE) vulnerability due to improper XML parser configuration. This allows attackers to read arbitrary files from the Jenkins controller file system and potentially perform server-side request forgery (SSRF). All Jenkins instances using the vulnerable plugin versions are affected.
💻 Affected Systems
- Jenkins Performance Publisher Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Jenkins controller file system, sensitive data exfiltration, and potential SSRF attacks leading to internal network reconnaissance or further exploitation.
Likely Case
Unauthorized file reading from Jenkins controller, potentially exposing credentials, configuration files, or other sensitive data stored on the server.
If Mitigated
Limited impact with proper network segmentation and file system permissions, though some information disclosure may still occur.
🎯 Exploit Status
Exploitation requires authenticated access to Jenkins. XXE vulnerabilities are well-understood with established exploitation techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Performance Publisher Plugin 8.10
Vendor Advisory: https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-2928
Restart Required: Yes
Instructions:
1. Navigate to Jenkins Manage Jenkins > Manage Plugins > Available tab. 2. Search for 'Performance Publisher'. 3. Install version 8.10 or later. 4. Restart Jenkins after installation completes.
🔧 Temporary Workarounds
Disable Performance Publisher Plugin
allTemporarily disable the vulnerable plugin until patching is possible
Navigate to Manage Jenkins > Manage Plugins > Installed tab, find Performance Publisher, click Disable
Restrict Jenkins User Permissions
linuxLimit file system access for the Jenkins service account
chmod 700 /path/to/jenkins/data
chown jenkins:jenkins /path/to/jenkins/data
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Jenkins from sensitive systems
- Apply principle of least privilege to Jenkins service account file system permissions
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin manager for Performance Publisher version. If version is 8.09 or earlier, the system is vulnerable.Check Version:
Check Jenkins web interface: Manage Jenkins > Manage Plugins > Installed tab, or examine $JENKINS_HOME/plugins/performance-publisher/META-INF/MANIFEST.MFVerify Fix Applied:
Verify Performance Publisher Plugin version is 8.10 or later in Jenkins plugin manager.📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors in Jenkins logs
- Multiple failed authentication attempts followed by XML processing requests
- File read operations from unexpected locations
Network Indicators:
- HTTP requests containing XML with external entity references to Performance Publisher endpoints
- Outbound connections from Jenkins to internal systems not normally accessed
SIEM Query:
source="jenkins.log" AND ("XXE" OR "external entity" OR "DOCTYPE")