Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ocjhwLTc2cTgtZnh3cc4AAqqY
XXE vulnerability in Jenkins Performance Plugin
Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control workspace contents to have Jenkins parse a crafted XML report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
As of publication of this advisory, there is no fix.
Permalink: https://github.com/advisories/GHSA-hr8p-76q8-fxwqJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ocjhwLTc2cTgtZnh3cc4AAqqY
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 7 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-hr8p-76q8-fxwq, CVE-2021-21701
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-21701
- https://www.jenkins.io/security/advisory/2021-11-12/#SECURITY-2394
- https://www.zerodayinitiative.com/advisories/ZDI-21-1313/
- http://www.openwall.com/lists/oss-security/2021/11/12/1
- https://github.com/advisories/GHSA-hr8p-76q8-fxwq
Affected Packages
maven:org.jenkins-ci.plugins:performance
Affected Version Ranges: <= 3.20No known fixed version