CVE-2021-43576 – org.jenkins-ci.plugins:pom2config

Package

Manager: maven
Name: org.jenkins-ci.plugins:pom2config
Vulnerable Version: >=0 <=1.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01284 pctl0.78836

Details

XXE vulnerability in Jenkins pom2config Plugin Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. As of publication of this advisory, there is no fix.

Metadata

Created: 2022-05-24T19:20:33Z
Modified: 2023-10-27T16:08:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-ppv9-v43c-xqpp/GHSA-ppv9-v43c-xqpp.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-ppv9-v43c-xqpp
Finding: F083
Auto approve: 1