CVE-2020-2304

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Subversion Plugin versions 2.13.1 and earlier

Description The issue arises from the Jenkins Subversion Plugin not configuring its XML parser to prevent XML external entity (XXE) attacks. This allows attackers who can control an agent process to have Jenkins parse a crafted changelog file, using external entities for extraction of secrets from the Jenkins controller or for server-side request forgery.

Recommendations For Jenkins Subversion Plugin versions 2.13.1 and earlier, update to version 2.13.2 or later, which disables external entity resolution for its XML parser.

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

CVE-2020-2304

GHSA-VP5F-8JGW-J53C

RHSA-2021:0034

RHSA-2021:0038

RHSA-2021:0282

RHSA-2021:0637

Affected Products

Jenkins

Jenkins Subversion Plugin

CVE-2020-2304

Weakness Enumeration

Related Identifiers

Affected Products

References · 9