GHSA-vpfj-5gg5-fvfm

Опубликовано: 24 мая 2022

Источник: github

Github: Прошло ревью

CVSS3: 7.1

Описание

XXE vulnerability in Jenkins Cobertura Plugin

Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'Publish Cobertura Coverage Report' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Cobertura Plugin 1.16 disables external entity resolution for its XML parser.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:cobertura

maven

Затронутые версииВерсия исправления

<= 1.15

1.16

EPSS

Процентиль: 44%

0.00216

Низкий

7.1 High

CVSS3

CVE ID

CVE-2020-2138

Дефекты

CWE-611

Связанные уязвимости

CVE-2020-2138

CVSS3: 5.4

redhat

почти 6 лет назад

Jenkins Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2020-2138

CVSS3: 7.1

nvd

почти 6 лет назад

Jenkins Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

EPSS

Процентиль: 44%

0.00216

Низкий

7.1 High

CVSS3

CVE ID

CVE-2020-2138

Дефекты

CWE-611