1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-2339

[JENKINS:SECURITY-2339] XXE vulnerability in `fstrigger`

Severity High
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

fstrigger 0.40 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Job/Configure permission or otherwise able to control the contents of an XML file being polled for changes to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the polling Jenkins controller or agent, server-side request forgery, or denial-of-service attacks.

fstrigger 0.41 disables external entity resolution for its XML parser.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/fstrigger <= 0.40
pkg:github/jenkinsci/fstrigger-plugin <= 0.40
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/fstrigger = 0.41
pkg:github/jenkinsci/fstrigger-plugin = 0.41
ID
JENKINS:SECURITY-2339
Severity
high
Published
2021-05-25T00:00:00
(3 years ago)
Modified
2021-05-25T00:00:00
(3 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository fstrigger repository https://github.com/jenkinsci/fstrigger-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/fstrigger org.jenkins-ci.plugins fstrigger <= 0.40
Fixed pkg:maven/org.jenkins-ci.plugins/fstrigger org.jenkins-ci.plugins fstrigger = 0.41
Affected pkg:github/jenkinsci/fstrigger-plugin jenkinsci fstrigger-plugin <= 0.40
Fixed pkg:github/jenkinsci/fstrigger-plugin jenkinsci fstrigger-plugin = 0.41
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date