CVE-2021-21680 – org.jenkins-ci.plugins:nested-view

Package

Manager: maven
Name: org.jenkins-ci.plugins:nested-view
Vulnerable Version: >=0 <1.21

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00407 pctl0.60293

Details

XXE vulnerability in Jenkins Nested View Plugin Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks. This allows attackers able to configure views to have Jenkins parse a crafted view XML definition that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Jenkins Nested View Plugin 1.21 disables external entity resolution for its XML transformer.

Metadata

Created: 2022-05-24T19:12:36Z
Modified: 2023-10-27T16:00:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5wc4-w63v-97c3/GHSA-5wc4-w63v-97c3.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-5wc4-w63v-97c3
Finding: F083
Auto approve: 1