CVE-2020-2247

Name of the Vulnerable Software and Affected Versions Jenkins Klocwork Analysis Plugin versions 2020.2.1 and earlier

Description The issue concerns an XML external entity (XXE) attack. This occurs because the XML parser is not configured to prevent such attacks, allowing a user who can control the input files for the Klocwork plugin parser to have Jenkins parse a crafted file. This can lead to the extraction of secrets from the Jenkins controller or server-side request forgery.

Recommendations For Jenkins Klocwork Analysis Plugin versions 2020.2.1 and earlier, consider disabling the XML parser functionality until a patch is available to prevent XXE attacks. Restrict access to the plugin's input files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.