CVE-2023-49656 – The Jenkins MATLAB Plugin 2.11.0 and earlier co... (How to Fix)

Q: What is the severity of CVE-2023-49656?

CVE-2023-49656 has a CVSS score of 9.8 (CRITICAL). The Jenkins MATLAB Plugin 2.11.0 and earlier contains an XML External Entity (XXE) vulnerability due to improper XML parser configuration. This allows attackers to read arbitrary files from the Jenkins controller file system, potentially leading to sensitive information disclosure. All Jenkins instances using the vulnerable MATLAB plugin versions are affected.

📋 TL;DR

The Jenkins MATLAB Plugin 2.11.0 and earlier contains an XML External Entity (XXE) vulnerability due to improper XML parser configuration. This allows attackers to read arbitrary files from the Jenkins controller file system, potentially leading to sensitive information disclosure. All Jenkins instances using the vulnerable MATLAB plugin versions are affected.

💻 Affected Systems

Products:

Jenkins MATLAB Plugin

Versions: 2.11.0 and earlier

Operating Systems: All operating systems running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the MATLAB plugin to be installed and configured in Jenkins. The vulnerability exists in the XML parsing functionality of the plugin.

📦 What is this software?

Matlab by Jenkins

View all CVEs affecting Matlab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Jenkins controller through arbitrary file read, potentially exposing credentials, secrets, and sensitive configuration files, leading to further system compromise.

🟠

Likely Case

Unauthorized reading of sensitive files on Jenkins controller, including credentials, SSH keys, and configuration data that could enable lateral movement.

🟢

If Mitigated

Limited impact with proper network segmentation and file system permissions, restricting attacker access to non-sensitive files only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication with Overall/Read permission in Jenkins. XXE vulnerabilities are well-understood and frequently exploited.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.12.0

Vendor Advisory: https://www.jenkins.io/security/advisory/2023-11-29/#SECURITY-3193

Restart Required: Yes

Instructions:

1. Update Jenkins MATLAB Plugin to version 2.12.0 or later via Jenkins Plugin Manager. 2. Restart Jenkins instance after update. 3. Verify plugin version in Manage Jenkins > Manage Plugins > Installed tab.

🔧 Temporary Workarounds

Disable MATLAB Plugin

all

Temporarily disable the vulnerable plugin if immediate patching is not possible

Navigate to Manage Jenkins > Manage Plugins > Installed tab, find MATLAB Plugin, click Disable

Restrict Jenkins User Permissions

all

Limit user access to only necessary permissions to reduce attack surface

Configure Jenkins security matrix to restrict Overall/Read permissions to trusted users only

🧯 If You Can't Patch

Implement strict network segmentation to isolate Jenkins from sensitive systems
Apply file system permissions to restrict access to sensitive files on Jenkins controller

🔍 How to Verify

Check if Vulnerable:

Check installed MATLAB plugin version in Jenkins: Manage Jenkins > Manage Plugins > Installed tab, look for MATLAB Plugin version

Check Version:

Check Jenkins plugin directory for matlab.hpi file version or use Jenkins CLI: java -jar jenkins-cli.jar -s http://jenkins-url/ list-plugins | grep matlab

Verify Fix Applied:

Verify MATLAB plugin version is 2.12.0 or higher in Manage Jenkins > Manage Plugins > Installed tab

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors in Jenkins logs
Multiple failed authentication attempts followed by XML processing requests
File read operations from unexpected locations

Network Indicators:

XML payloads containing external entity references in HTTP requests to Jenkins
Outbound connections from Jenkins to external servers during XML processing

SIEM Query:

source="jenkins.log" AND ("XML" OR "XXE" OR "external entity") AND (error OR warning OR exception)

📊 Metadata

CVE ID: CVE-2023-49656

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-611

Published: November 29, 2023

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2023/11/29/1 Mailing List
https://www.jenkins.io/security/advisory/2023-11-29/#SECURITY-3193 Issue Tracking,Vendor Advisory
http://www.openwall.com/lists/oss-security/2023/11/29/1 Mailing List
https://www.jenkins.io/security/advisory/2023-11-29/#SECURITY-3193 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49656, you might also want to check these: