XXE vulnerability in Jenkins Subversion Plugin
Moderate severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Dec 20, 2023
Package
Affected versions
< 2.13.2
Patched versions
2.13.2
Description
Published by the National Vulnerability Database
Nov 4, 2020
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Dec 21, 2022
Last updated
Dec 20, 2023
Jenkins Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins Subversion Plugin 2.13.2 disables external entity resolution for its XML parser.
References