CVE-2020-2305

Name of the Vulnerable Software and Affected Versions Jenkins Mercurial Plugin versions 2.11 and earlier Jenkins Mercurial Plugin versions prior to 2.12 Jenkins Mercurial Plugin versions prior to 2.10.1 Jenkins Mercurial Plugin versions prior to 2.9.1 Jenkins Mercurial Plugin versions prior to 2.8.1

Description The issue allows attackers who can control an agent process to have Jenkins parse a crafted changelog file, using external entities for extraction of secrets from the Jenkins controller or server-side request forgery. This is due to the XML parser not being configured to prevent XML external entity (XXE) attacks.

Recommendations For Jenkins Mercurial Plugin versions 2.11 and earlier, update to version 2.12 or later. For Jenkins Mercurial Plugin versions prior to 2.10.1, update to version 2.10.1 or later. For Jenkins Mercurial Plugin versions prior to 2.9.1, update to version 2.9.1 or later. For Jenkins Mercurial Plugin versions prior to 2.8.1, update to version 2.8.1 or later. As a temporary workaround, consider disabling the XML parser until a patch is available.