The vulnerability arises because the Jenkins Assembla Plugin does not properly configure its XML parser to reject external entity references. Based on the description, it is inferred that attackers who can control the responses from a configured Assembla server can craft XML that forces the Jenkins controller to resolve external entities and read files from the local filesystem, obtain credentials or other secrets, and possibly perform destructive actions. The weakness maps to CWE‑611: Improper Restriction of XML External Entity Reference.

The affected systems are any Jenkins installations that include the Jenkins Assembla Plugin version 1.4 or earlier. The plugin is distributed by the Jenkins Project and is commonly used to integrate Assembla repositories. No further vendor‑specific versions are listed; the issue affects all installations that have these older plugin releases deployed.

The EPSS score is not available and the flaw is not listed in the CISA KEV catalog, but the potential impact is high. Based on the description, it is inferred that attackers would need the ability to influence the XML response returned by a configured Assembla server, which could be an Assembla credentials or a malicious Assembla instance. Once the XML is processed, the attacker could retrieve sensitive configuration data or perform unintended requests from within the Jenkins controller. The risk is therefore moderate to high, especially in environments where the plugin is routinely used and the Assembla server is accessible from Jenkins.