CVE-2023-28681 – org.jenkins-ci.plugins:vs-code-metrics

Package

Manager: maven
Name: org.jenkins-ci.plugins:vs-code-metrics
Vulnerable Version: >=0 <=1.7

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00125 pctl0.32506

Details

Jenkins Visual Studio Code Metrics Plugin vulnerable to XML external entity (XXE) attacks Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to control VS Code Metrics File contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Metadata

Created: 2023-04-02T21:30:17Z
Modified: 2023-04-10T16:30:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-8j88-2hfc-5rf3/GHSA-8j88-2hfc-5rf3.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-8j88-2hfc-5rf3
Finding: F083
Auto approve: 1