PT-2020-15298 · Jenkins · Jenkins Robot Framework Plugin+1
Federico Pellegrin
·
Published
2020-01-15
·
Updated
2023-10-25
·
CVE-2020-2092
CVSS v3.1
7.6
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Jenkins Robot Framework Plugin versions 2.0.0 and earlier
Description
The issue allows users with specific permissions to have Jenkins parse crafted XML documents, potentially leading to extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks. This is due to the XML parser not being configured to prevent XML external entity (XXE) attacks. A user able to control the input files for the 'Publish Robot Framework' post-build step can exploit this.
Recommendations
For Jenkins Robot Framework Plugin versions 2.0.0 and earlier, update to version 2.0.1 or later, which disables external entity resolution for its XML parser.
Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Robot Framework Plugin