XML External Entity Injection Vulnerability in Jenkins Storable Configs Plugin
CVE-2022-30971

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Storable Configs Plugin
Vendor: CVE Published:; 17 May 2022

What is CVE-2022-30971?

The Jenkins Storable Configs Plugin 1.0 and earlier is susceptible to XML external entity (XXE) attacks due to improper configuration of its XML parser. This oversight allows an attacker to exploit the plugin by sending crafted XML data, which could lead to unauthorized access to sensitive information or server-side request forgery. Users are advised to upgrade to the latest plugin version to mitigate this risk and enhance their security posture. For more details, refer to the official advisory.

Affected Version(s)

Jenkins Storable Configs Plugin <= 1.0

References

https://www.jenkins.io/security/advisory/2022-05-17/#SECU...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 17, 2022
Vulnerability Reserved
May 16, 2022