CVE-2020-2304

Опубликовано: 04 нояб. 2020

Источник: redhat

CVSS3: 6.5

Описание

Jenkins Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

A flaw was found in the subversion Jenkins plugin. The XML parser is not properly configured to prevent XML external entity (XXE) attacks allowing an attacker the ability to control an agent process and have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. The highest threat from this vulnerability is to data confidentiality.

Меры по смягчению последствий

Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-611

https://bugzilla.redhat.com/show_bug.cgi?id=1895939jenkins-2-plugins/subversion: XML parser is not preventing XML external entity (XXE) attacks

6.5 Medium

CVSS3

Связанные уязвимости

CVE-2020-2304

CVSS3: 6.5

nvd

больше 5 лет назад

Jenkins Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

GHSA-vp5f-8jgw-j53c

CVSS3: 6.5

github

больше 3 лет назад

XXE vulnerability in Jenkins Subversion Plugin

6.5 Medium

CVSS3