Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mNXd4LXcyZjktODJnaM4AAjcW
XXE vulnerability in Jenkins WebSphere Deployer Plugin
WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. This could be exploited by a user with Job/Configure permissions to upload a specially crafted war file containing a WEB-INF/ibm-web-ext.xml which is parsed by the plugin.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNXd4LXcyZjktODJnaM4AAjcW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 7.6
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Identifiers: GHSA-f5wx-w2f9-82gh, CVE-2020-2108
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2108
- https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1719
- http://www.openwall.com/lists/oss-security/2020/01/29/1
- https://github.com/advisories/GHSA-f5wx-w2f9-82gh
Affected Packages
maven:org.jenkins-ci.plugins:websphere-deployer
Affected Version Ranges: <= 1.6.1No known fixed version