CVE-2022-43415 — XXE vulnerability in Jenkins REPO Plugin

Description

REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to control which `repo` binary is executed on agents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. REPO Plugin 1.16.0 disables external entity resolution for its XML parser.

How to fix CVE-2022-43415

To remediate CVE-2022-43415, upgrade the affected package to a fixed version below.

—upgrade to 1.16.0 or later

Is CVE-2022-43415 being exploited?

Moderate — EPSS is 5.8%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 1.16.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-43415
PATCHgithub.com/jenkinsci/repo-plugin
WEBgithub.com/jenkinsci/repo-plugin/commit/4c4a72c7de3d3e5bbbad223605ea264dcec56bc1
WEBwww.jenkins.io/security/advisory/2022-10-19/#SECURITY-2337