PT-2021-14712 · Jenkins · Jenkins Generic Webhook Trigger Plugin+1
Justin Philip
+2
·
Published
2021-06-18
·
Updated
2023-10-25
·
CVE-2021-21669
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jenkins Generic Webhook Trigger Plugin versions 1.72 and earlier
Description
The issue allows attackers to have Jenkins parse a crafted XML request body that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. This is due to the XML parser not being configured to prevent XML external entity (XXE) attacks. Attackers with the ability to call webhooks configured to extract parameters using XPath can exploit this.
Recommendations
For Jenkins Generic Webhook Trigger Plugin versions 1.72 and earlier, update to version 1.74 or later, which disables external entity resolution for its XML parser.
Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Generic Webhook Trigger Plugin