Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Item/Configure permission to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
CPE | Name | Operator | Version |
---|---|---|---|
org.jvnet.hudson.plugins:storable-configs-plugin | le | 1.0 |