Miggo Logo

CVE-2022-27201: Agent-to-controller security bypass in Jenkins Semantic Versioning Plugin

7.1

CVSS Score
3.1

Basic Information

EPSS Score
0.70051%
Published
3/16/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:semantic-versioning-pluginmaven< 1.141.14

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key flaws: 1) Unsafe XML parsing configuration (CWE-611) in file processing functions, and 2) Improper access control (CWE-918) in controller/agent message handling. The first vulnerable function handles XML parsing without disabling DTDs/external entities. The second enables agent-to-controller command execution without proper validation. The advisory specifically mentions these components through its description of unrestricted message execution and XML processing vulnerabilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins S*m*nti* V*rsionin* Plu*in ***in*s * *ontroll*r/***nt m*ss*** t**t pro**ss*s * *iv*n *il* *s XML *n* r*turns v*rsion in*orm*tion. T** XML p*rs*r is not *on*i*ur** to pr*v*nt XML *xt*rn*l *ntity (XX*) *tt**ks, w*i** is only * pro*l*m i* XML *o

Reasoning

T** vuln*r**ility st*ms *rom two k*y *l*ws: *) Uns*** XML p*rsin* *on*i*ur*tion (*W*-***) in *il* pro**ssin* *un*tions, *n* *) Improp*r ****ss *ontrol (*W*-***) in *ontroll*r/***nt m*ss*** **n*lin*. T** *irst vuln*r**l* *un*tion **n*l*s XML p*rsin* w