GHSA-ppv9-v43c-xqpp

Опубликовано: 24 мая 2022

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

XXE vulnerability in Jenkins pom2config Plugin

Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:pom2config

maven

Затронутые версииВерсия исправления

<= 1.2

Отсутствует

EPSS

Процентиль: 51%

0.00275

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2021-43576

Дефекты

CWE-611

Связанные уязвимости

CVE-2021-43576

CVSS3: 6.5

nvd

около 4 лет назад

Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

EPSS

Процентиль: 51%

0.00275

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2021-43576

Дефекты

CWE-611