Lucene search

GoogleOSV:GHSA-58CH-C2JF-5G23

HistoryApr 02, 2023 - 9:30 p.m.

Jenkins remote-jobs-view-plugin vulnerable to XML external entity attacks

2023-04-0221:30:16

Google

osv.dev

jenkins

remote-jobs-view-plugin

xml

external entity

attacks

vulnerability

security

authentication

plugin

xxe

parser

permission

secrets

server-side request forgery

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

27.6%

JSON

Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows authenticated attackers with Overall/Read permission to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

CPENameOperatorVersion
com.sap.jenkinsci:remote-jobs-view-plugineq0.0.3

CPE	Name	Operator	Version
	com.sap.jenkinsci:remote-jobs-view-plugin	eq	0.0.3

References

github.com/jenkinsci/remote-jobs-view-plugin

nvd.nist.gov/vuln/detail/CVE-2023-28684

www.jenkins.io/security/advisory/2023-03-21/#SECURITY-2956

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

27.6%

JSON

Related for OSV:GHSA-58CH-C2JF-5G23