CVE-2020-2284

Name of the Vulnerable Software and Affected Versions Jenkins Liquibase Runner Plugin versions 1.4.5 and earlier

Description The issue allows attackers to provide crafted XML files that use external entities for extraction of secrets from the Jenkins controller or server-side request forgery. This is possible because the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, enabling attackers to have Jenkins parse malicious XML files when evaluating Liquibase changesets.

Recommendations For Jenkins Liquibase Runner Plugin versions 1.4.5 and earlier, update to version 1.4.7 or later, which no longer parses Liquibase changesets, thereby mitigating the risk of XXE attacks.