Описание
XXE vulnerability in Jenkins OWASP Dependency-Check Plugin
Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control workspace contents to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Пакеты
Наименование
org.jenkins-ci.plugins:dependency-check-jenkins-plugin
maven
Затронутые версииВерсия исправления
<= 5.1.1
5.1.2
Связанные уязвимости
CVSS3: 7.1
nvd
около 4 лет назад
Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.