CVE-2022-27201

Name of the Vulnerable Software and Affected Versions Jenkins Semantic Versioning Plugin versions 1.13 and earlier Jenkins versions 2.318 and earlier Jenkins LTS versions 2.303.2 and earlier

Description The issue allows attackers to control agent processes and have Jenkins parse a crafted file, using external entities for extraction of secrets from the Jenkins controller or server-side request forgery. This is due to the lack of restrictions on the execution of controller/agent messages and file path limitations. The XML parser is not configured to prevent XML external entity (XXE) attacks.

Recommendations For Jenkins Semantic Versioning Plugin versions 1.13 and earlier, update to a version later than 1.13 to resolve the issue. For Jenkins versions 2.318 and earlier, update to a version later than 2.318. For Jenkins LTS versions 2.303.2 and earlier, update to Jenkins LTS 2.303.3 or later, following the LTS upgrade guide.