First published: Thu Oct 08 2020(Updated: )
Jenkins Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jenkins Nerrvana | <=1.02.06 | |
maven/org.jenkins-ci.plugins:nerrvana-plugin | <=1.02.06 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-2298 is a vulnerability in Jenkins Nerrvana Plugin 1.02.06 and earlier that allows attackers to perform XML external entity (XXE) attacks.
CVE-2020-2298 has a severity score of 6.5 out of 10, indicating a medium severity.
The affected software for CVE-2020-2298 is Jenkins Nerrvana Plugin version 1.02.06 and earlier.
CVE-2020-2298 allows attackers with Overall/Read permission to parse a crafted HTTP request with XML data and extract secrets from Jenkins.
Yes, you can refer to the following links for more information: [http://www.openwall.com/lists/oss-security/2020/10/08/5](http://www.openwall.com/lists/oss-security/2020/10/08/5), [https://www.jenkins.io/security/advisory/2020-10-08/#SECURITY-2097](https://www.jenkins.io/security/advisory/2020-10-08/#SECURITY-2097), [https://nvd.nist.gov/vuln/detail/CVE-2020-2298](https://nvd.nist.gov/vuln/detail/CVE-2020-2298)