Miggo Logo

CVE-2020-2178: XXE vulnerability in Jenkins Parasoft Findings Plugin

7.1

CVSS Score
3.0

Basic Information

EPSS Score
0.31962%
Published
5/24/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.parasoft:parasoft-findingsmaven<= 10.4.310.4.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure XML parser configuration. The advisory explicitly states the parser wasn't properly secured against XXE. In Java XML processing, this typically occurs when DocumentBuilderFactory is created without setting security features like FEATURE_SECURE_PROCESSING or explicitly disabling DTD/external entities. The parse method handling XML input would be the logical location for this vulnerability, as the patched version (10.4.4) specifically mentions adding external entity resolution disabling - a standard XXE mitigation for Java XML parsers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

P*r*so*t *in*in*s Plu*in impl*m*nts * st*ti* *n*lysis p*rs*r *or v*rious P*r*so*t pro*u*ts *n* int**r*t*s wit* [W*rnin*s Plu*in](*ttps://plu*ins.j*nkins.io/w*rnin*s) (**.*.* *n* **rli*r) *n* [W*rnin*s N* Plu*in](*ttps://plu*ins.j*nkins.io/w*rnin*s-n*

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rs*r *on*i*ur*tion. T** **visory *xpli*itly st*t*s t** p*rs*r w*sn't prop*rly s**ur** ***inst XX*. In J*v* XML pro**ssin*, t*is typi**lly o**urs w**n *o*um*nt*uil**r***tory is *r**t** wit*out s*ttin* s**uri