[MAVEN:GHSA-XX7G-F287-F9FQ] XXE vulnerability in Jenkins Liquibase Runner Plugin
Severity
High
Affected Packages
1
Fixed Packages
1
CVEs
1
Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to provide Liquibase changesets evaluated by the plugin to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins Liquibase Runner Plugin 1.4.7 no longer parses Liquibase changesets.
Package | Affected Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/liquibase-runner | <= 1.4.5 |
Package | Fixed Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/liquibase-runner | = 1.4.7 |
- ID
- MAVEN:GHSA-XX7G-F287-F9FQ
- Severity
- high
- URL
- https://github.com/advisories/GHSA-xx7g-f287-f9fq
- Published
-
2022-05-24T17:29:16
(2 years ago) - Modified
-
2023-10-27T11:34:51
(10 months ago) - Rights
- Maven Security Team
- Other Advisories
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.jenkins-ci.plugins/liquibase-runner | org.jenkins-ci.plugins | liquibase-runner | <= 1.4.5 | |||
Fixed | pkg:maven/org.jenkins-ci.plugins/liquibase-runner | org.jenkins-ci.plugins | liquibase-runner | = 1.4.7 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |