CVE-2023-28683 – org.jenkins-ci.plugins:phabricator-plugin

Package

Manager: maven
Name: org.jenkins-ci.plugins:phabricator-plugin
Vulnerable Version: >=0 <=2.1.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00125 pctl0.32487

Details

Jenkins Phabricator Differential Plugin vulnerable to XML external entity (XXE) attacks Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to control coverage report file contents for the `Post to Phabricator` post-build action to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Metadata

Created: 2023-04-02T21:30:16Z
Modified: 2023-04-10T16:27:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-w4g6-8xqp-g92m/GHSA-w4g6-8xqp-g92m.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-w4g6-8xqp-g92m
Finding: F083
Auto approve: 1