CVE-2022-45400: XXE vulnerability in Jenkins JAPEX Plugin

November 16, 2022 (updated April 30, 2025)

JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the ‘Record Japex test report’ post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

References

github.com/advisories/GHSA-8538-25v4-25pg
github.com/jenkinsci/japex-plugin
nvd.nist.gov/vuln/detail/CVE-2022-45400
www.jenkins.io/security/advisory/2022-11-15/

Code Behaviors & Features

Detect and mitigate CVE-2022-45400 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →