Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03MzJmLXc1ODUtZ21wY84AAo4d
XXE vulnerability in Jenkins Generic Webhook Trigger Plugin
Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with the ability to call webhooks configured to extract parameters using XPath to have Jenkins parse a crafted XML request body that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins Generic Webhook Trigger Plugin 1.74 disables external entity resolution for its XML parser.
Permalink: https://github.com/advisories/GHSA-732f-w585-gmpcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03MzJmLXc1ODUtZ21wY84AAo4d
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: 5 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-732f-w585-gmpc, CVE-2021-21669
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-21669
- https://www.jenkins.io/security/advisory/2021-06-18/#SECURITY-2330
- http://www.openwall.com/lists/oss-security/2021/06/18/1
- https://plugins.jenkins.io/generic-webhook-trigger/#dependencies
- https://github.com/jenkinsci/generic-webhook-trigger-plugin/commit/da434dfca1b82f5de81e29438762370d652493b8
- https://github.com/advisories/GHSA-732f-w585-gmpc
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:generic-webhook-trigger
Affected Version Ranges: <= 1.72Fixed in: 1.74