XXE vulnerability in Jenkins Klocwork Analysis Plugin

2022-05-2417:27:07

Google

osv.dev

0.001 Low

EPSS

Percentile

22.2%

JSON

Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the Klocwork plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

CPENameOperatorVersion
org.jenkins-ci.plugins:klocworkeq2.4.2
org.jenkins-ci.plugins:klocworkeq1.11
org.jenkins-ci.plugins:klocworkeq2.5.3
org.jenkins-ci.plugins:klocworkeq1.13
org.jenkins-ci.plugins:klocworkeq1.15
org.jenkins-ci.plugins:klocworkeq2.3.9
org.jenkins-ci.plugins:klocworkeq2.2
org.jenkins-ci.plugins:klocworkeq2.3.8
org.jenkins-ci.plugins:klocworkeq1.24.6
org.jenkins-ci.plugins:klocworkeq2.4.6

Name	Operator	Version
org.jenkins-ci.plugins:klocwork	eq	2.4.2
org.jenkins-ci.plugins:klocwork	eq	1.11
org.jenkins-ci.plugins:klocwork	eq	2.5.3
org.jenkins-ci.plugins:klocwork	eq	1.13
org.jenkins-ci.plugins:klocwork	eq	1.15
org.jenkins-ci.plugins:klocwork	eq	2.3.9
org.jenkins-ci.plugins:klocwork	eq	2.2
org.jenkins-ci.plugins:klocwork	eq	2.3.8
org.jenkins-ci.plugins:klocwork	eq	1.24.6
org.jenkins-ci.plugins:klocwork	eq	2.4.6