Description

Jenkins CCM Plugin 3.1 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.

Remediation

References

https://jenkins.io/security/advisory/2018-02-05/

Related Vulnerabilities

CVE-2015-0226 Vulnerability in maven package org.apache.wss4j:wss4j-ws-security-dom

CVE-2016-4977 Vulnerability in maven package org.springframework.security.oauth:spring-security-oauth2

CVE-2019-10091 Vulnerability in maven package org.apache.geode:geode-core

CVE-2023-40340 Vulnerability in maven package org.jenkins-ci.plugins:nodejs

CVE-2023-50719 Vulnerability in maven package org.xwiki.platform:xwiki-platform-mail-general

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H

Tags

Vendor Advisory