CVE-2021-43576

Name of the Vulnerable Software and Affected Versions Jenkins pom2config Plugin versions 1.2 and earlier

Description The issue allows attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. This is due to the plugin not configuring its XML parser to prevent XML external entity (XXE) attacks.

Recommendations For Jenkins pom2config Plugin versions 1.2 and earlier: At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the plugin or disabling the XML parser to minimize the risk of exploitation.