[JENKINS:SECURITY-822] XXE vulnerability in `fireline`

Severity High

Affected Packages 2

CVEs 1

fireline accepts XML for part of its configuration.
It does not configure the XML parser to prevent XML external entity (XXE) attacks.

A form validation method that accepts XML does not perform permission checks.
This allows users with Overall/Read permission to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.

As of publication of this advisory, there is no fix.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/fireline	<= 1.7.2
pkg:github/jenkinsci/fireline-plugin	<= 1.7.2

ID

JENKINS:SECURITY-822

Severity

high

Published

2019-10-23T00:00:00
(4 years ago)

Modified

2019-10-23T00:00:00
(4 years ago)

Rights

Jenkins Security Team

Other Advisories

MAVEN:GHSA-346G-JRX9-JGF4

Source	# ID	Name	URL
Plugin repository		fireline repository	https://github.com/jenkinsci/fireline-plugin

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.jenkins-ci.plugins/fireline	org.jenkins-ci.plugins	fireline	<= 1.7.2
Affected	pkg:github/jenkinsci/fireline-plugin	jenkinsci	fireline-plugin	<= 1.7.2

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date