GHSA-732f-w585-gmpc

Suggest an improvement
Source
https://github.com/advisories/GHSA-732f-w585-gmpc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-732f-w585-gmpc/GHSA-732f-w585-gmpc.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-732f-w585-gmpc
Aliases
  • CVE-2021-21669
Published
2022-05-24T19:05:40Z
Modified
2024-01-02T05:51:11.178189Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
XXE vulnerability in Jenkins Generic Webhook Trigger Plugin
Details

Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with the ability to call webhooks configured to extract parameters using XPath to have Jenkins parse a crafted XML request body that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Jenkins Generic Webhook Trigger Plugin 1.74 disables external entity resolution for its XML parser.

Database specific
{
    "nvd_published_at": "2021-06-18T10:15:00Z",
    "cwe_ids": [
        "CWE-611"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-26T16:28:18Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:generic-webhook-trigger

Package

Name
org.jenkins-ci.plugins:generic-webhook-trigger
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/generic-webhook-trigger

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.74

Affected versions

0.*

0.1.0

1.*

1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
1.10
1.11
1.12
1.13
1.14
1.15
1.16
1.17
1.18
1.19
1.20
1.21
1.22
1.23
1.24
1.25
1.26
1.27
1.28
1.29
1.30
1.31
1.32
1.33
1.34
1.35
1.36
1.37
1.38
1.39
1.40
1.41
1.42
1.43
1.44
1.45
1.46
1.47
1.48
1.49
1.50
1.51
1.52
1.53
1.54
1.55
1.56
1.57
1.58
1.59
1.60
1.61
1.62
1.63
1.64
1.65
1.66
1.67
1.68
1.69
1.71
1.72

Database specific

{
    "last_known_affected_version_range": "<= 1.72"
}