CVE-2023-28682 – org.jenkins-ci.plugins:perfpublisher

Package

Manager: maven
Name: org.jenkins-ci.plugins:perfpublisher
Vulnerable Version: >=0 <=8.09

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00125 pctl0.32506

Details

Jenkins Performance Publisher Plugin vulnerable to XML external entity (XXE) attacks Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to control PerfPublisher report files to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Metadata

Created: 2023-04-02T21:30:16Z
Modified: 2023-04-10T16:29:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-qgm7-m77f-j8pf/GHSA-qgm7-m77f-j8pf.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-qgm7-m77f-j8pf
Finding: F083
Auto approve: 1