RELEASED: Public: January 24, 2024
Security fixes
- XXE in Infradna-Backup Plugin (BEE-42748)
-
CloudBees Backup (
Infradna-backup
) 3.38.71 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control Backup file contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.