XXE vulnerability in Jenkins WebSphere Deployer Plugin

2022-05-2417:07:41

Google

osv.dev

0.001 Low

EPSS

Percentile

39.7%

JSON

WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. This could be exploited by a user with Job/Configure permissions to upload a specially crafted war file containing a WEB-INF/ibm-web-ext.xml which is parsed by the plugin.

CPENameOperatorVersion
org.jenkins-ci.plugins:websphere-deployereq1.5.5
org.jenkins-ci.plugins:websphere-deployereq1.3.4
org.jenkins-ci.plugins:websphere-deployereq1.6.1
org.jenkins-ci.plugins:websphere-deployereq1.5.6
org.jenkins-ci.plugins:websphere-deployereq1.1
org.jenkins-ci.plugins:websphere-deployereq1.2
org.jenkins-ci.plugins:websphere-deployereq1.6.0

Name	Operator	Version
org.jenkins-ci.plugins:websphere-deployer	eq	1.5.5
org.jenkins-ci.plugins:websphere-deployer	eq	1.3.4
org.jenkins-ci.plugins:websphere-deployer	eq	1.6.1
org.jenkins-ci.plugins:websphere-deployer	eq	1.5.6
org.jenkins-ci.plugins:websphere-deployer	eq	1.1
org.jenkins-ci.plugins:websphere-deployer	eq	1.2
org.jenkins-ci.plugins:websphere-deployer	eq	1.6.0