CVE-2022-30971 – org.jvnet.hudson.plugins:storable-configs-plugin

Package

Manager: maven
Name: org.jvnet.hudson.plugins:storable-configs-plugin
Vulnerable Version: >=0 <=1.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0163 pctl0.81183

Details

XML External Entity Reference in Jenkins Storable Configs Plugin Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers with Item/Configure permission to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Metadata

Created: 2022-05-18T00:00:42Z
Modified: 2022-12-02T20:07:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wqmp-2p5r-rhfv/GHSA-wqmp-2p5r-rhfv.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-wqmp-2p5r-rhfv
Finding: F083
Auto approve: 1