1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-2930

[JENKINS:SECURITY-2930] XXE vulnerability in `absint-a3`

Severity High
Affected Packages 2
CVEs 1
Info Packages References Vulnerabilities

absint-a3 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control 'Project File (APX)' contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/absint-a3 <= 1.1.0
pkg:github/jenkinsci/absint-a3-plugin <= 1.1.0
ID
JENKINS:SECURITY-2930
Severity
high
Published
2023-03-21T00:00:00
(18 months ago)
Modified
2023-03-21T00:00:00
(18 months ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository absint-a3 repository https://github.com/jenkinsci/absint-a3-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/absint-a3 org.jenkins-ci.plugins absint-a3 <= 1.1.0
Affected pkg:github/jenkinsci/absint-a3-plugin jenkinsci absint-a3-plugin <= 1.1.0
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date