CVE-2022-30971XML External Entity (XXE) Injection in Project Jenkins Storable Configs Plugin

CWE-611XML External Entity (XXE) Injection5 documents5 sources
Severity
8.8HIGHNVD
EPSS
0.6%
top 30.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Storable Configs PluginJenkins Storable Configs
Timeline
PublishedMay 17
Latest updateMay 18

Description

Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

🔴Vulnerability Details

3
OSV
XML External Entity Reference in Jenkins Storable Configs Plugin2022-05-18
GHSA
XML External Entity Reference in Jenkins Storable Configs Plugin2022-05-18
CVEList
CVE-2022-30971: Jenkins Storable Configs Plugin 12022-05-17

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2022-05-172022-05-17
CVE-2022-30971 — XML External Entity (XXE) Injection | cvebase