Miggo Logo

CVE-2020-2315: XXE vulnerability in Jenkins Visualworks Store Plugin

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.5056%
Published
5/24/2022
Updated
12/14/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:visualworks-storemaven< 1.1.41.1.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows security features were added to SAXReader in StoreChangeLogParser.java's parse method. Prior to 1.1.4, these XXE protection features were missing, making the XML parser vulnerable. The parse method is directly responsible for reading untrusted XML input, and the lack of secure configuration here matches the CWE-611 XXE vulnerability pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Visu*lworks Stor* Plu*in *.*.* *n* **rli*r *o*s not *on*i*ur* its XML p*rs*r to pr*v*nt XML *xt*rn*l *ntity (XX*) *tt**ks. T*is *llows *tt**k*rs wit* t** **ility to *ontrol t** output o* * s*ript t**t run Visu*lworks wit* Stor**I, or **l* to

Reasoning

T** *ommit *i** s*ows s**urity ***tur*s w*r* ***** to `S*XR****r` in `Stor****n**Lo*P*rs*r.j*v*`'s `p*rs*` m*t*o*. Prior to *.*.*, t**s* XX* prot**tion ***tur*s w*r* missin*, m*kin* t** XML p*rs*r vuln*r**l*. T** `p*rs*` m*t*o* is *ir**tly r*sponsi*l