CVE-2023-37942

Name of the Vulnerable Software and Affected Versions Jenkins External Monitor Job Type Plugin versions 206.v9a 94ff0b 4a 10 and earlier

Description The issue allows attackers with Item/Build permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. This is due to the plugin not configuring its XML parser to prevent XML external entity (XXE) attacks.

Recommendations For versions 206.v9a 94ff0b 4a 10 and earlier, update to version 207.v98a a 37a 85525 or later, which disables external entity resolution for its XML parser. As a temporary workaround, consider restricting access to the plugin's XML parser to minimize the risk of exploitation.