7.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2171

GHSA ID

GHSA-g7w4-r4mg-gvhx

EPSS Score

0.33869%

CWE

CWE-611

Published

5/24/2022

Updated

1/31/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2171

CVE-2020-2171: XXE vulnerability in Jenkins RapidDeploy Plugin

RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'RapidDeploy deployment package build' build or post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

RapidDeploy Plugin 4.2.1 disables external entity resolution for its XML parser.

(GitHub Advisory)

7.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2171

GHSA ID

GHSA-g7w4-r4mg-gvhx

EPSS Score

0.33869%

CWE

CWE-611

Published

5/24/2022

Updated

1/31/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:rapiddeploy-jenkins	maven	< 4.2.1	4.2.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure XML parser configuration. While exact code isn't available, the advisory explicitly states the parser wasn't configured to prevent XXE. In Java XML processing, this typically occurs in DocumentBuilderFactory/SAXParserFactory initialization methods where security features aren't set. The deployment package build step's XML processing logic would contain these vulnerable parser initialization routines. The high confidence comes from: 1) The vulnerability type (CWE-611) directly maps to XML parser configuration 2) The patch explicitly mentions disabling external entity resolution 3) Jenkins plugin vulnerabilities of this type commonly manifest in build step processors handling XML input.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

R*pi***ploy Plu*in *.* *n* **rli*r *o*s not *on*i*ur* its XML p*rs*r to pr*v*nt XML *xt*rn*l *ntity (XX*) *tt**ks. T*is *llows * us*r **l* to *ontrol t** input *il*s *or t** 'R*pi***ploy **ploym*nt p**k*** *uil*' *uil* or post-*uil* st*p to **v* J*n

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rs*r *on*i*ur*tion. W*il* *x**t *o** isn't *v*il**l*, t** **visory *xpli*itly st*t*s t** p*rs*r w*sn't *on*i*ur** to pr*v*nt XX*. In J*v* XML pro**ssin*, t*is typi**lly o**urs in `*o*um*nt*uil**r***tory`/`S

7.6

Basic Information

Concerned about an active attack path?

CVE-2020-2171: XXE vulnerability in Jenkins RapidDeploy Plugin

7.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI