CVE-2021-21672
published 2021-06-30CVE-2021-21672: Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
PriorityP336medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
42.52%
98.5th percentile
Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | cas_plugin | — | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | selenium_html_report | <= 1.0 | — |
| jenkins | selenium_html_report_plugin | — | — |
| jenkins_project | jenkins_selenium_html_report_plugin | unspecified – 1.0 | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XXE vulnerability in Jenkins Selenium HTML report Plugin
ghsa·2021-07-02
CVE-2021-21672 [MEDIUM] CWE-611 XXE vulnerability in Jenkins Selenium HTML report Plugin
XXE vulnerability in Jenkins Selenium HTML report Plugin
Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with the ability to control the report files parsed using this plugin to have Jenkins parse a crafted report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins Selenium HTML report Plugin 1.1 disables external entity resolution for its XML parser.
OSV
XXE vulnerability in Jenkins Selenium HTML report Plugin
osv·2021-07-02
CVE-2021-21672 [MEDIUM] XXE vulnerability in Jenkins Selenium HTML report Plugin
XXE vulnerability in Jenkins Selenium HTML report Plugin
Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with the ability to control the report files parsed using this plugin to have Jenkins parse a crafted report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins Selenium HTML report Plugin 1.1 disables external entity resolution for its XML parser.
Jenkins
Jenkins Security Advisory 2021-06-30
vendor_jenkins·2021-06-30·CVSS 4.3
CVE-2021-21670 [MEDIUM] Jenkins Security Advisory 2021-06-30
Title: Jenkins Security Advisory 2021-06-30
Jenkins Security Advisory 2021-06-30
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
CAS
Plugin
requests-plugin
Plugin
requests-plugin
Plugin
requests-plugin
Plugin
Selenium HTML report
Plugin
Descriptions
Improper permission checks allow
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2021/06/30/1http://www.openwall.com/lists/oss-security/2022/04/14/2https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2329http://www.openwall.com/lists/oss-security/2021/06/30/1http://www.openwall.com/lists/oss-security/2022/04/14/2https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2329
2021-06-30
Published