Описание
An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.10 | jenkins-plugin-token-macro | Will not fix | ||
| Red Hat OpenShift Container Platform 3.6 | jenkins-plugin-token-macro | Will not fix | ||
| Red Hat OpenShift Container Platform 3.7 | jenkins-plugin-token-macro | Will not fix | ||
| Red Hat OpenShift Container Platform 3.9 | jenkins-plugin-token-macro | Will not fix | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Fixed | RHSA-2019:1851 | 24.07.2019 |
| Red Hat OpenShift Container Platform 3.11 | jenkins-2-plugins | Fixed | RHSA-2019:1851 | 24.07.2019 |
| Red Hat OpenShift Container Platform 4.1 | jenkins-2-plugins | Fixed | RHSA-2019:1636 | 03.07.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.
Improper Restriction of XML External Entity Reference Jenkins Token Macro Plugin
Уязвимость плагина Jenkins Token Macro, связанная с неверным ограничением XML-ссылок на внешние объекты, позволяющая нарушителю подделать запросы на стороне сервера или вызвать отказ в обслуживании
EPSS
6.5 Medium
CVSS3