CVE-2021-43576

CVSS v3.1 6.5 (Medium)

CVSS v2.0 4.3 (Medium)

EPSS 0.52 % (77^th)

Affected Products 1

Advisories 2

Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Weaknesses

CWE-611: Improper Restriction of XML External Entity Reference

CVE Status: PUBLISHED
CNA: Jenkins Project
Published Date: 2021-11-12 11:15:08
(2 years ago)
Updated Date: 2023-11-22 21:33:01
(10 months ago)

Affected Products

Jenkins

Pom2config

Configuration #1

		CPE23	From	Up To
	Jenkins Pom2config for Jenkins 1.2 and prior versions	cpe:2.3:a:jenkins:pom2config::::::jenkins		<= 1.2