CVE-2022-45386

Name of the Vulnerable Software and Affected Versions Jenkins Violations Plugin versions 0.7.11 and earlier

Description The issue arises from the Jenkins Violations Plugin not configuring its XML parser to prevent XML external entity (XXE) attacks. This allows attackers to control XML input files for the 'Report Violations' post-build step, potentially leading to the extraction of secrets from the Jenkins agent or server-side request forgery. The impact of this issue is limited to narrow circumstances where attackers can control XML files but are unable to change build steps, Jenkinsfiles, or test code executed on the agents.

Recommendations For Jenkins Violations Plugin versions 0.7.11 and earlier, consider disabling the XML parser functionality until a patch is available to prevent XXE attacks. Restrict access to the 'Report Violations' post-build step to minimize the risk of exploitation. Avoid using external XML files in the affected post-build step until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.