PT-2021-14715 · Jenkins · Jenkins Selenium Html Report Plugin+1

Justin Philip

Published

2021-06-30

Updated

2023-10-25

CVE-2021-21672

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Selenium HTML report Plugin versions 1.0 and earlier

Description The issue arises from the plugin not configuring its XML parser to prevent XML external entity (XXE) attacks, allowing attackers who can control the report files parsed by this plugin to craft a report file that uses external entities. This can lead to the extraction of secrets from the Jenkins controller or server-side request forgery.

Recommendations For Jenkins Selenium HTML report Plugin versions 1.0 and earlier, update to version 1.1 or later, which disables external entity resolution for its XML parser.

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

CVE-2021-21672

GHSA-HXXP-6546-WV6R

Affected Products

Jenkins

Jenkins Selenium Html Report Plugin

PT-2021-14715 · Jenkins · Jenkins Selenium Html Report Plugin+1

CVE-2021-21672

Weakness Enumeration

Related Identifiers

Affected Products

References · 11