CVE-2021-21657

Name of the Vulnerable Software and Affected Versions Jenkins Filesystem Trigger Plugin versions 0.40 and earlier

Description The issue allows attackers with Job/Configure permission or those able to control the contents of an XML file being polled for changes to have Jenkins parse a crafted XML document. This can lead to extraction of secrets from the polling Jenkins controller or agent, server-side request forgery, or denial-of-service attacks. The problem arises because the XML parser is not configured to prevent XML external entity (XXE) attacks.

Recommendations For Jenkins Filesystem Trigger Plugin versions 0.40 and earlier, update to version 0.41 or later, which disables external entity resolution for its XML parser.