[com.compuware.jenkins:compuware-common-configuration] Jenkins Compuware Common Configuration Plugin vulnerable to Improper Restriction of XML External Entity Reference

Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Version 1.0.15 contains a patch.

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-41226
• https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2832
• https://github.com/jenkinsci/compuware-common-configuration-plugin/pull/24
• https://github.com/jenkinsci/compuware-common-configuration-plugin/commit/351a46798cdc10479cb6966f05a51bc2174806a0
• https://github.com/jenkinsci/compuware-common-configuration-plugin/commit/8410fd5e0a619200f5bc2e906ecba940e8506436
• https://github.com/advisories/GHSA-g43x-pcc9-f472