CVE-2020-2324
published 2020-12-03CVE-2020-2324: Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.34%
67.8th percentile
Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | chaos_monkey_plugin | — | — |
| jenkins | cvs | <= 2.16 | — |
| jenkins | cvs_plugin | — | — |
| jenkins | docker_images_of_jenkins_2.269_and_2.263.1_contain_plugin | — | — |
| jenkins | installation_manager_tool_did_not_verify_plugin | — | — |
| jenkins | jenkins_is_running_plugin | — | — |
| jenkins | manager_tool_2.1.3_and_earlier_does_not_verify_plugin | — | — |
| jenkins | shelve_project_plugin | — | — |
| jenkins | xml_parser_plugin | — | — |
| jenkins_project | jenkins_cvs_plugin | unspecified – 2.16 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XXE vulnerability in Jenkins CVS Plugin
ghsa·2022-05-24
CVE-2020-2324 [HIGH] CWE-611 XXE vulnerability in Jenkins CVS Plugin
XXE vulnerability in Jenkins CVS Plugin
Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins CVS Plugin 2.17 disables external entity resolution for its XML parser.
OSV
XXE vulnerability in Jenkins CVS Plugin
osv·2022-05-24
CVE-2020-2324 [HIGH] XXE vulnerability in Jenkins CVS Plugin
XXE vulnerability in Jenkins CVS Plugin
Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins CVS Plugin 2.17 disables external entity resolution for its XML parser.
Jenkins
Jenkins Security Advisory 2020-12-03
vendor_jenkins·2020-12-03·CVSS 9.8
CVE-2020-2320 [CRITICAL] Jenkins Security Advisory 2020-12-03
Title: Jenkins Security Advisory 2020-12-03
Jenkins Security Advisory 2020-12-03
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Chaos Monkey
Plugin
Chaos Monkey
Plugin
CVS
Plugin
Shelve Project
Plugin
Plugin Installation Manager Tool
Descriptions
XXE vulnerability in CVS Plugin
SECURITY-2146
/
CVE-
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-12-03
Published