Miggo Logo
Miggo Vulnerability Database
CVE-2021-43577

CVE-2021-43577:
XXE vulnerability in Jenkins OWASP Dependency-Check Plugin

7.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-43577
GHSA ID
GHSA-mj5v-ggjc-48p5
EPSS Score
0.82795%
CWE
CWE-611
Published
5/24/2022
Updated
12/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:dependency-check-jenkins-pluginmaven<= 5.1.15.1.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure XML parsing in ReportParser.java. The patch adds critical security features (disallow-doctype-decl, external-entity restrictions) to the Digester configuration within the parse() method. The pre-patch code lacked these protections, making this function the entry point for XXE exploitation. The added test case specifically validates rejection of external entities in XML parsing, confirming this function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins OW*SP **p*n**n*y-****k Plu*in *.*.* *n* **rli*r *o*s not *on*i*ur* its XML p*rs*r to pr*v*nt XML *xt*rn*l *ntity (XX*) *tt**ks. T*is *llows *tt**k*rs **l* to *ontrol worksp*** *ont*nts to **v* J*nkins p*rs* * *r**t** XML *il* t**t us*s *xt*r

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* `XML` p*rsin* in `R*portP*rs*r.j*v*`. T** p*t** ***s *riti**l s**urity ***tur*s (`*is*llow-*o*typ*-***l`, `*xt*rn*l-*ntity` r*stri*tions) to t** `*i**st*r` *on*i*ur*tion wit*in t** `p*rs*()` m*t*o*. T** pr*-p*t**