CVE-2020-2245

Name of the Vulnerable Software and Affected Versions Jenkins Valgrind Plugin versions 0.28 and earlier

Description The issue concerns the configuration of the XML parser in the Jenkins Valgrind Plugin, which does not prevent XML external entity (XXE) attacks. This allows a user who can control the input files for the Valgrind plugin parser to have Jenkins parse a crafted file that uses external entities. This can lead to the extraction of secrets from the Jenkins controller or server-side request forgery.

Recommendations For Jenkins Valgrind Plugin versions 0.28 and earlier, consider disabling the XML parser or restricting the input files for the Valgrind plugin parser until a patch is available. As a temporary workaround, restrict access to the plugin's configuration to minimize the risk of exploitation.