CVE-2022-45396

Name of the Vulnerable Software and Affected Versions Jenkins SourceMonitor Plugin versions 0.2 and earlier

Description The issue allows attackers to control XML input files for the 'Publish SourceMonitor results' post-build step, enabling them to have agent processes parse a crafted file that uses external entities for extraction of secrets from the Jenkins agent or server-side request forgery. This has a real impact in narrow circumstances where attackers can control XML files but are unable to change build steps, Jenkinsfiles, test code, or similar.

Recommendations For Jenkins SourceMonitor Plugin versions 0.2 and earlier, update the plugin to a version that configures its XML parser to prevent XML external entity (XXE) attacks. As a temporary workaround, consider restricting access to the 'Publish SourceMonitor results' post-build step to minimize the risk of exploitation.