Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Item/Build permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

External Monitor Job Type Plugin 207.v98a_a_37a_85525 disables external entity resolution for its XML parser.

Affected Packages

Maven org.jenkins-ci.plugins:external-monitor-job

Affected versions: 0 (fixed in 207.v98a)

Related CVEs

CVE-2023-37942

Key Information

GHSA ID

GHSA-g4c3-4f3v-84x8

Published

July 12, 2023 6:30 PM

Last Modified

July 20, 2023 2:15 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:external-monitor-job

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.