Impact
The vulnerability arises because the Jenkins Assembla Plugin does not properly configure its XML parser to reject external entity references. Based on, it is inferred that attackers who can control the responses from a configured Assembla server can craft XML that forces the Jenkins controller to resolve external entities and read files from the local filesystem or obtain credentials. This can lead to the exposure of secrets and potentially enable other destructive actions.
Affected Systems
The affected systems are any Jenkins installations that include the Jenkins Assembla Plugin version 1.4 or earlier. The plugin is distributed by the Jenkins Project and is commonly used to integrate Assembla repositories. No further vendor‑specific versions are listed; the issue affects all installations that have these older plugin releases deployed.
Risk and Exploitability
The CVSS score is 7.1, indicating high severity. The EPSS score is not available and the flaw is not listed in the CISA KEV catalog, but the potential impact is significant. Based on the description, it is inferred that attackers would need the ability to influence the XML response returned by a configured Assembla server, which could be an Assembla credentials or a malicious Assembla instance. Once the XML is processed, the attacker could retrieve sensitive configuration data or perform unintended requests from within the Jenkins controller. The risk is therefore moderate to high, especially in environments where the plugin is routinely used and the Assembla server is accessible from Jenkins.
OpenCVE Enrichment