CVE-2020-2305

Опубликовано: 04 нояб. 2020

Источник: redhat

CVSS3: 6.5

EPSS Низкий

Описание

Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

A flaw was found in the mercurial plugin in Jenkins. The XML changelog parser is not configured to prevent an XML external entity (XXE) attack allowing an attacker the ability to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. The highest threat from this vulnerability is to data confidentiality.

Меры по смягчению последствий

Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-611

https://bugzilla.redhat.com/show_bug.cgi?id=1895940jenkins-2-plugins/mercurial: XML parser is not preventing XML external entity (XXE) attacks

EPSS

Процентиль: 66%

0.00503

Низкий

6.5 Medium

CVSS3

Связанные уязвимости

CVE-2020-2305

CVSS3: 6.5

nvd

больше 5 лет назад

Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

GHSA-x58r-wxc3-7pqr

CVSS3: 6.5

github

больше 3 лет назад

XXE vulnerability in Jenkins Mercurial Plugin

EPSS

Процентиль: 66%

0.00503

Низкий

6.5 Medium

CVSS3