CVE-2021-21658

Name of the Vulnerable Software and Affected Versions Jenkins Nuget Plugin versions 1.0 and earlier

Description The issue concerns the XML parser in the Jenkins Nuget Plugin, which does not prevent XML external entity (XXE) attacks. This parser is used for the "Build on NuGet updates" feature, allowing attackers who can control the contents of the packages.config file to parse crafted XML documents. This can lead to the extraction of secrets from the Jenkins controller or server-side request forgery.

Recommendations For Jenkins Nuget Plugin versions 1.0 and earlier, update to version 1.1 or later, which disables external entity resolution for its XML parser.