6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2304

GHSA ID

GHSA-vp5f-8jgw-j53c

EPSS Score

0.78727%

CWE

CWE-611

Published

5/24/2022

Updated

12/20/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2304

CVE-2020-2304: XXE vulnerability in Jenkins Subversion Plugin

Jenkins Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Jenkins Subversion Plugin 2.13.2 disables external entity resolution for its XML parser.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2304

GHSA ID

GHSA-vp5f-8jgw-j53c

EPSS Score

0.78727%

CWE

CWE-611

Published

5/24/2022

Updated

12/20/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:subversion	maven	< 2.13.2	2.13.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure XML parser configuration in the SubversionChangeLogParser class. The commit diff shows security features were added to the Digester initialization (disallow-doctype-decl, external entity handling). The parse() method (inherited from ChangeLogParser) uses this Digester instance to process XML input. In vulnerable versions (<2.13.2), the absence of these security features in the parser configuration made XXE exploitation possible when processing attacker-controlled changelog files.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Su*v*rsion Plu*in *.**.* *n* **rli*r *o*s not *on*i*ur* its XML p*rs*r to pr*v*nt XML *xt*rn*l *ntity (XX*) *tt**ks. T*is *llows *tt**k*rs **l* to *ontrol *n ***nt pro**ss to **v* J*nkins p*rs* * *r**t** ***n**lo* *il* t**t us*s *xt*rn*l *nt

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rs*r *on*i*ur*tion in t** `Su*v*rsion***n**Lo*P*rs*r` *l*ss. T** *ommit *i** s*ows s**urity ***tur*s w*r* ***** to t** `*i**st*r` initi*liz*tion (*is*llow-*o*typ*-***l, *xt*rn*l *ntity **n*lin*). T** `p*rs*

6.5

Basic Information

Concerned about an active attack path?

CVE-2020-2304: XXE vulnerability in Jenkins Subversion Plugin

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI