CVE-2023-28680: 
Java vulnerability analysis and mitigation

Jenkins Crap4J Plugin 0.9 and earlier contains a high severity vulnerability (CVE-2023-28680) discovered in March 2023. The vulnerability affects the XML parsing functionality of the plugin, which fails to properly configure its XML parser to prevent XML external entity (XXE) attacks (Jenkins Advisory).

The vulnerability stems from improper configuration of the XML parser in the Crap4J Plugin that allows XML external entity (XXE) processing. This configuration weakness enables the processing of external entities in XML documents, which should be disabled by default for security. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows attackers who can control Crap Report file contents to submit crafted XML documents that use external entities. This can be exploited for extraction of secrets from the Jenkins controller or to perform server-side request forgery attacks (Jenkins Advisory).

As of the advisory publication date (March 21, 2023), no fix is available for this vulnerability in the Crap4J Plugin. Users should assess their risk and consider implementing XML parser hardening at the Jenkins controller level or restricting access to Crap Report file submission capabilities (Jenkins Advisory).