Miggo Logo
Miggo Vulnerability Database
CVE-2020-2284

CVE-2020-2284: XXE vulnerability in Jenkins Liquibase Runner Plugin

7.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2284
GHSA ID
GHSA-xx7g-f287-f9fq
EPSS Score
0.20694%
CWE
CWE-611
Published
5/24/2022
Updated
10/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:liquibase-runnermaven<= 1.4.51.4.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure XML parsing of Liquibase changesets. The advisory explicitly states the XML parser wasn't configured to prevent XXE attacks, which typically occurs when using DocumentBuilder/SAXParser without disabling external entities. The fixed version (1.4.7) removed changeset parsing entirely, confirming the vulnerability resided in this functionality. While exact code isn't available, the pattern matches standard XXE vulnerability patterns in Java XML processing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Liqui**s* Runn*r Plu*in *.*.* *n* **rli*r *o*s not *on*i*ur* its XML p*rs*r to pr*v*nt XML *xt*rn*l *ntity (XX*) *tt**ks. T*is *llows *tt**k*rs **l* to provi** Liqui**s* ***n**s*ts *v*lu*t** *y t** plu*in to **v* J*nkins p*rs* * *r**t** XML

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rsin* o* Liqui**s* ***n**s*ts. T** **visory *xpli*itly st*t*s t** XML p*rs*r w*sn't *on*i*ur** to pr*v*nt XX* *tt**ks, w*i** typi**lly o**urs w**n usin* `*o*um*nt*uil**r`/`S*XP*rs*r` wit*out *is**lin* *xt*r