GHSA-m53p-f25q-q6fg

Опубликовано: 24 мая 2022

Источник: github

Github: Прошло ревью

CVSS3: 7.6

Описание

XXE vulnerability in Jenkins Robot Framework Plugin

Robot Framework Plugin 2.0.0 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'Publish Robot Framework' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

Robot Framework Plugin 2.0.1 disables external entity resolution for its XML parser.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:robot

maven

Затронутые версииВерсия исправления

< 2.0.1

2.0.1

EPSS

Процентиль: 35%

0.00147

Низкий

7.6 High

CVSS3

CVE ID

CVE-2020-2092

Дефекты

CWE-611

Связанные уязвимости

CVE-2020-2092

CVSS3: 8.8

nvd

около 6 лет назад

Jenkins Robot Framework Plugin 2.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing users with Job/Configure to have Jenkins parse crafted XML documents.

EPSS

Процентиль: 35%

0.00147

Низкий

7.6 High

CVSS3

CVE ID

CVE-2020-2092

Дефекты

CWE-611