CVE-2023-49656

Name of the Vulnerable Software and Affected Versions Jenkins MATLAB Plugin versions 2.11.0 and earlier

Description The issue concerns the Jenkins MATLAB Plugin, which does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers who can create files on the Jenkins controller file system to have Jenkins parse a crafted XML document, potentially leading to the extraction of secrets from the Jenkins controller or server-side request forgery. The plugin also fails to perform permission checks in several HTTP endpoints and does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Recommendations For Jenkins MATLAB Plugin versions 2.11.0 and earlier, update to version 2.11.1 or later, which configures its XML parser to prevent XML external entity (XXE) attacks and requires POST requests and Item/Configure permission for the affected HTTP endpoints. As a temporary workaround, consider restricting access to the affected HTTP endpoints to minimize the risk of exploitation.