CVE-2021-21659

Name of the Vulnerable Software and Affected Versions Jenkins URLTrigger Plugin versions 0.48 and earlier

Description The issue allows attackers with Job/Configure permission or those able to control the contents of a URL to an XML document being examined for changes to have Jenkins parse a crafted XML document. This can lead to extraction of secrets from the polling Jenkins controller or agent, server-side request forgery, or denial-of-service attacks. The problem arises because the XML parser is not configured to prevent XML external entity (XXE) attacks.

Recommendations For Jenkins URLTrigger Plugin versions 0.48 and earlier, update to version 0.49 or later, which disables external entity resolution for its XML parser.