Description
Jenkins Assembla Plugin 1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers able to control the responses of the configured Assembla server to extract secrets from the Jenkins controller or perform server-side request forgery.
Published: 2026-06-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because the Jenkins Assembla Plugin does not properly configure its XML parser to reject external entity references. Based on, it is inferred that attackers who can control the responses from a configured Assembla server can craft XML that forces the Jenkins controller to resolve external entities and read files from the local filesystem or obtain credentials. This can lead to the exposure of secrets and potentially enable other destructive actions.

Affected Systems

The affected systems are any Jenkins installations that include the Jenkins Assembla Plugin version 1.4 or earlier. The plugin is distributed by the Jenkins Project and is commonly used to integrate Assembla repositories. No further vendor‑specific versions are listed; the issue affects all installations that have these older plugin releases deployed.

Risk and Exploitability

The CVSS score is 7.1, indicating high severity. The EPSS score is not available and the flaw is not listed in the CISA KEV catalog, but the potential impact is significant. Based on the description, it is inferred that attackers would need the ability to influence the XML response returned by a configured Assembla server, which could be an Assembla credentials or a malicious Assembla instance. Once the XML is processed, the attacker could retrieve sensitive configuration data or perform unintended requests from within the Jenkins controller. The risk is therefore moderate to high, especially in environments where the plugin is routinely used and the Assembla server is accessible from Jenkins.

Generated by OpenCVE AI on June 24, 2026 at 21:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Jenkins Assembla Plugin to the latest release that configures its XML parser to block external entities
  • If an upgrade is not immediately possible, disable or remove the Assembla plugin to eliminate the vulnerable entry point
  • Restrict network connectivity so that the Jenkins controller cannot contact external Assembla servers or any untrusted XML sources
  • Consider implementing a firewall or gateway that blocks XML requests containing DOCTYPE or external entity declarations

Generated by OpenCVE AI on June 24, 2026 at 21:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title Jenkins Assembla Plugin XXE Vulnerability Allows Secret Extraction

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Assembla Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Assembla Plugin

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Title XML External Entity Vulnerability in Jenkins Assembla Plugin Enables Secrets Exposure
Weaknesses CWE-611

Wed, 24 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title XML External Entity Vulnerability in Jenkins Assembla Plugin Enables Secrets Exposure
Weaknesses CWE-611

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-918
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Jenkins Assembla Plugin 1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers able to control the responses of the configured Assembla server to extract secrets from the Jenkins controller or perform server-side request forgery.
References

Subscriptions

Jenkins Project Jenkins Assembla Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T14:19:33.790Z

Reserved: 2026-06-24T08:41:44.359Z

Link: CVE-2026-57303

cve-icon Vulnrichment

Updated: 2026-06-24T14:17:24.201Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:30:04Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)