CVE-2022-45397: 
Java vulnerability analysis and mitigation

Jenkins OSF Builder Suite :: XML Linter Plugin version 1.0.2 and earlier contains an XML External Entity (XXE) vulnerability. The vulnerability was discovered and disclosed on November 15, 2022, affecting all versions up to and including 1.0.2 of the plugin. This security issue was assigned CVE-2022-45397 and was reported by CC Bomber from Kitri BoB (Jenkins Advisory).

The vulnerability stems from the plugin's failure to properly configure its XML parser to prevent XML external entity (XXE) attacks. The severity is rated as Medium with a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability is tracked as SECURITY-2937 in Jenkins' security tracking system (NVD).

This vulnerability allows attackers who can control XML files processed by the 'OSF Builder Suite :: XML Linter' build step to have agent processes parse crafted files that use external entities. This can lead to extraction of secrets from the Jenkins agent or enable server-side request forgery attacks (Jenkins Advisory).

As of the advisory's publication date, no fix is available for this vulnerability. The Jenkins security team has publicly announced this issue to alert users of the potential security risk (Jenkins Advisory).