CVE-2023-49656: 
Java vulnerability analysis and mitigation

Jenkins MATLAB Plugin 2.11.0 and earlier contains an XML External Entity (XXE) vulnerability identified as CVE-2023-49656. The vulnerability was discovered and disclosed on November 29, 2023, affecting the MATLAB Plugin component of Jenkins, an open-source automation server. The issue stems from the plugin's failure to properly configure its XML parser to prevent XXE attacks when determining whether a user-specified directory on the Jenkins controller is the location of a MATLAB installation (Jenkins Advisory).

The vulnerability is rated as High severity with a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The core issue lies in the XML parsing functionality used to validate MATLAB installation directories. The plugin processes an XML file in the specified directory but fails to implement proper XML parser configuration to prevent XXE attacks (NVD).

This vulnerability allows attackers who can create files on the Jenkins controller file system to have Jenkins parse a crafted XML document that uses external entities. This can lead to the extraction of secrets from the Jenkins controller or enable server-side request forgery attacks (Jenkins Advisory).

The vulnerability has been fixed in MATLAB Plugin version 2.11.1, which properly configures its XML parser to prevent XML external entity (XXE) attacks. Users are strongly advised to upgrade to this version. Additionally, the new version requires POST requests and Item/Configure permission for the affected HTTP endpoints (Jenkins Advisory).