XML External Entity Injection in Jenkins Liquibase Runner Plugin
CVE-2020-2284

7.1HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Liquibase Runner Plugin
Vendor: CVE Published:; 23 September 2020

What is CVE-2020-2284?

The Jenkins Liquibase Runner Plugin, prior to version 1.4.6, is vulnerable to XML External Entity (XXE) injection due to improper configuration of its XML parser. This vulnerability allows an attacker to potentially exploit the application by sending crafted XML data that could lead to the disclosure of confidential data, the execution of unauthorized commands, or denial of service. Users of the affected versions should upgrade to the latest version to mitigate this security risk.

Affected Version(s)

Jenkins Liquibase Runner Plugin <= 1.4.5

References

https://www.jenkins.io/security/advisory/2020-09-23/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2020/09/23/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 23, 2020
Vulnerability Reserved
Dec 5, 2019