Описание
XXE vulnerability in Jenkins WebSphere Deployer Plugin
WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. This could be exploited by a user with Job/Configure permissions to upload a specially crafted war file containing a WEB-INF/ibm-web-ext.xml which is parsed by the plugin.
Пакеты
Наименование
org.jenkins-ci.plugins:websphere-deployer
maven
Затронутые версииВерсия исправления
<= 1.6.1
Отсутствует
Связанные уязвимости
CVSS3: 7.6
nvd
около 6 лет назад
Jenkins WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XXE attacks which can be exploited by a user with Job/Configure permissions.