CVE-2020-2144

Name of the Vulnerable Software and Affected Versions Jenkins Rundeck Plugin versions 3.6.6 and earlier

Description The issue allows a user with Overall/Read access to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. This is due to the XML parser not being configured to prevent XML external entity (XXE) attacks.

Recommendations For Jenkins Rundeck Plugin versions 3.6.6 and earlier, update to version 3.6.7 or later, which disables external entity resolution for its XML parser.