CVE-2022-46682
published 2022-12-12CVE-2022-46682: Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
PriorityP344critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.95%
56.7th percentile
Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | checkmarx_plugin | — | — |
| jenkins | custom_build_properties_plugin | — | — |
| jenkins | gitea_plugin | — | — |
| jenkins | google_login_plugin | — | — |
| jenkins | plot | < 2.1.12 | 2.1.12 |
| jenkins | plot_plugin | — | — |
| jenkins | sonar_gerrit_plugin | — | — |
| jenkins | spring_config_plugin | — | — |
| jenkins_project | jenkins_plot_plugin | unspecified – 2.1.11 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Jenkins Plot Plugin XML External Entity Reference vulnerability
osv·2022-12-12
CVE-2022-46682 [HIGH] Jenkins Plot Plugin XML External Entity Reference vulnerability
Jenkins Plot Plugin XML External Entity Reference vulnerability
Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control XML input files for the 'Plot build data' build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Plot Plugin 2.1.12 disables external entity resolution for its XML parser.
GHSA
Jenkins Plot Plugin XML External Entity Reference vulnerability
ghsa·2022-12-12
CVE-2022-46682 [HIGH] CWE-611 Jenkins Plot Plugin XML External Entity Reference vulnerability
Jenkins Plot Plugin XML External Entity Reference vulnerability
Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control XML input files for the 'Plot build data' build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Plot Plugin 2.1.12 disables external entity resolution for its XML parser.
Jenkins
Jenkins Security Advisory 2022-12-07
vendor_jenkins·2022-12-07·CVSS 9.8
CVE-2022-46682 [CRITICAL] Jenkins Security Advisory 2022-12-07
Title: Jenkins Security Advisory 2022-12-07
Jenkins Security Advisory 2022-12-07
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Checkmarx
Plugin
Custom Build Properties
Plugin
Gitea
Plugin
Google Login
Plugin
Plot
Plugin
Sonar Gerrit
Plugin
Spring Config
Plugin
Descriptions
XXE vulnerabili
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-12-12
Published