CVE-2020-2120

Name of the Vulnerable Software and Affected Versions Jenkins FitNesse Plugin versions 1.30 and earlier

Description The issue allows a user who can control the input files for the post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks. This is due to the XML parser not being configured to prevent XML external entity (XXE) attacks.

Recommendations For Jenkins FitNesse Plugin versions 1.30 and earlier, update to version 1.31 or later, which disables external entity processing for its XML parser.