Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50765

Harden support-core against XXE attacks


    • Similar Issues:


      There are currently three support bundle components that use SecretHandler#findSecrets, which uses a standard XML transformer that does not protect against XXE attacks: ConfigFileComponent, AgentsConfigFile, and OtherConfigFilesComponent.

      ConfigFileComponent and AgentsConfigFile process files controlled by Jenkins core, and there is no way for a non-admin to modify the contents of the files they process except through XStream, which prevents XXE attacks.

      OtherConfigFilesComponent includes all files in $JENKINS_HOME that end with .xml except for credentials.xml and config.xml. If a plugin allows non-admin users to directly change the contents of a file (not using XStream) that ends with .xml in $JENKINS_HOME then that would allow an attacker to store an XXE attack for later execution when an admin generates a bundle that includes the OtherConfigFilesComponent.

      Any plugin that gives non-admin users unrestricted access to a file in Jenkins home is likely a problem by itself, and only admins can install plugins, so I don't consider this to be a problem in practice. Even so, it is easy enough to harden the plugin against this type of issue just in case.



          dnusbaum Devin Nusbaum created issue -
          dnusbaum Devin Nusbaum made changes -
          Field Original Value New Value
          Status Open [ 1 ] In Progress [ 3 ]
          dnusbaum Devin Nusbaum made changes -
          Status In Progress [ 3 ] In Review [ 10005 ]
          dnusbaum Devin Nusbaum made changes -
          Link This issue is duplicated by SECURITY-448 [ SECURITY-448 ]
          dnusbaum Devin Nusbaum made changes -
          Remote Link This issue links to "jenkinsci/support-core-plugin#141 (Web Link)" [ 20413 ]
          dnusbaum Devin Nusbaum made changes -
          Status In Review [ 10005 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          jamesdumay James Dumay made changes -
          Remote Link This issue links to "CloudBees Internal OSS-2691 (Web Link)" [ 20534 ]
          aheritier Arnaud Héritier made changes -
          Status Resolved [ 5 ] Closed [ 6 ]


            • Assignee:
              dnusbaum Devin Nusbaum
              dnusbaum Devin Nusbaum
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: