Miggo Logo

CVE-2020-2171: XXE vulnerability in Jenkins RapidDeploy Plugin

7.6

CVSS Score
3.1

Basic Information

EPSS Score
0.33869%
Published
5/24/2022
Updated
1/31/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:rapiddeploy-jenkinsmaven< 4.2.14.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure XML parser configuration. While exact code isn't available, the advisory explicitly states the parser wasn't configured to prevent XXE. In Java XML processing, this typically occurs in DocumentBuilderFactory/SAXParserFactory initialization methods where security features aren't set. The deployment package build step's XML processing logic would contain these vulnerable parser initialization routines. The high confidence comes from: 1) The vulnerability type (CWE-611) directly maps to XML parser configuration 2) The patch explicitly mentions disabling external entity resolution 3) Jenkins plugin vulnerabilities of this type commonly manifest in build step processors handling XML input.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

R*pi***ploy Plu*in *.* *n* **rli*r *o*s not *on*i*ur* its XML p*rs*r to pr*v*nt XML *xt*rn*l *ntity (XX*) *tt**ks. T*is *llows * us*r **l* to *ontrol t** input *il*s *or t** 'R*pi***ploy **ploym*nt p**k*** *uil*' *uil* or post-*uil* st*p to **v* J*n

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rs*r *on*i*ur*tion. W*il* *x**t *o** isn't *v*il**l*, t** **visory *xpli*itly st*t*s t** p*rs*r w*sn't *on*i*ur** to pr*v*nt XX*. In J*v* XML pro**ssin*, t*is typi**lly o**urs in `*o*um*nt*uil**r***tory`/`S