XXE vulnerability in Jenkins Nested View Plugin
High severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Dec 7, 2023
Description
Published by the National Vulnerability Database
Aug 31, 2021
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Dec 15, 2022
Last updated
Dec 7, 2023
Credits
-
NotMyFault Analyst
Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.
This allows attackers able to configure views to have Jenkins parse a crafted view XML definition that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins Nested View Plugin 1.21 disables external entity resolution for its XML transformer.
References