CVE-2022-25209

Name of the Vulnerable Software and Affected Versions Jenkins Chef Sinatra Plugin versions 1.20 and earlier

Description The issue arises from the plugin not configuring its XML parser to prevent XML external entity (XXE) attacks, allowing attackers to have Jenkins parse a crafted XML response for extraction of secrets from the Jenkins controller or server-side request forgery. Additionally, the plugin does not perform a permission check in a method implementing form validation.

Recommendations For versions 1.20 and earlier, as a temporary workaround, consider disabling the XML parser functionality until a patch is available. Restrict access to the plugin to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.