CloudBees Backup Plugin 3.38.72

RELEASED: Public: January 24, 2024

Security advisory

CloudBees Security Advisory 2024-01-24

Security fixes

XXE in Infradna-Backup Plugin (BEE-42748): CloudBees Backup (Infradna-backup) 3.38.71 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control Backup file contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

New features

None.

Feature enhancements

None.

Resolved issues

None.

Known issues

None.

Upgrade notes

None.