Jenkins Visual Studio Code Metrics Plugin vulnerable to XML external entity (XXE) attacks
High severity
GitHub Reviewed
Published
Apr 2, 2023
to the GitHub Advisory Database
•
Updated Apr 10, 2023
Package
Affected versions
<= 1.7
Patched versions
None
Description
Published by the National Vulnerability Database
Apr 2, 2023
Published to the GitHub Advisory Database
Apr 2, 2023
Reviewed
Apr 3, 2023
Last updated
Apr 10, 2023
Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control VS Code Metrics File contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
References