CVE-2021-21680

Name of the Vulnerable Software and Affected Versions Jenkins Nested View Plugin versions 1.20 and earlier

Description The issue arises from the Jenkins Nested View Plugin not configuring its XML transformer to prevent XML external entity (XXE) attacks. This allows attackers who can configure views to have Jenkins parse a crafted view XML definition, using external entities for extraction of secrets from the Jenkins controller or for server-side request forgery.

Recommendations For Jenkins Nested View Plugin versions 1.20 and earlier, update to version 1.21 or later, which disables external entity resolution for its XML transformer.