Miggo Logo
Miggo Vulnerability Database
CVE-2021-21672

CVE-2021-21672: XXE vulnerability in Jenkins Selenium HTML report Plugin

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-21672
GHSA ID
GHSA-hxxp-6546-wv6r
EPSS Score
0.87421%
CWE
CWE-611
Published
7/2/2021
Updated
10/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:seleniumhtmlreportmaven<= 1.01.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure XML parsing in TestResult.java. The commit diff shows the patch added XXE protection features to the SAXParserFactory configuration in the parseFor() method. This method was vulnerable because it previously didn't restrict external entity resolution, allowing XXE attacks. Other files modified in the commit relate to dependency management and UI templates, but don't directly contribute to the XXE vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins S*l*nium *TML r*port Plu*in *.* *n* **rli*r *o*s not *on*i*ur* its XML p*rs*r to pr*v*nt XML *xt*rn*l *ntity (XX*) *tt**ks. T*is *llows *tt**k*rs wit* t** **ility to *ontrol t** r*port *il*s p*rs** usin* t*is plu*in to **v* J*nkins p*rs* * *

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rsin* in `T*stR*sult.j*v*`. T** *ommit *i** s*ows t** p*t** ***** XX* prot**tion ***tur*s to t** `S*XP*rs*r***tory` *on*i*ur*tion in t** `p*rs**or()` m*t*o*. T*is m*t*o* w*s vuln*r**l* ****us* it pr*viously