CVE-2023-37942 — XML External Entity (XXE) Injection in Project Jenkins External Monitor JOB Type Plugin

CWE-611 — XML External Entity (XXE) Injection4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 63.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins External Monitor JOB Type Plugin Jenkins External Monitor JOB Type Jenkins Active Directory Plugin +14 more

Timeline

PublishedJul 12

Description

Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages17 packages

▶CVEListV5jenkins_project/jenkins_external_monitor_job_type_plugin206.v9a_94ff0b_4a_10

▶jenkinsjenkins/external_monitor_job_type_plugin

▶NVDjenkins/external_monitor_job_type206.v9a_94ff0b_4a_10

▶jenkinsjenkins/datadog_plugin

▶jenkinsjenkins/rebuilder_plugin

🔴Vulnerability Details

OSV

Jenkins External Monitor Job Type Plugin XML external entity vulnerability↗2023-07-12

▶

GHSA

Jenkins External Monitor Job Type Plugin XML external entity vulnerability↗2023-07-12

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2023-07-12↗2023-07-12

▶