PT-2020-15391 · Jenkins · Jenkins Parasoft Findings Plugin+1
Federico Pellegrin
·
Published
2020-04-16
·
Updated
2023-10-25
·
CVE-2020-2178
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Parasoft Findings Plugin versions 10.4.3 and earlier
Description
The issue allows a user who can control the input files for the Parasoft Findings parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. This is due to the plugin not configuring its XML parser to prevent XML external entity (XXE) attacks.
Recommendations
For Jenkins Parasoft Findings Plugin versions 10.4.3 and earlier, update to version 10.4.4 or later, which disables external entity resolution for its XML parser.
Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Parasoft Findings Plugin