Miggo Logo

CVE-2022-30971: XML External Entity Reference in Jenkins Storable Configs Plugin

7.1

CVSS Score
3.1

Basic Information

EPSS Score
0.81216%
Published
5/18/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jvnet.hudson.plugins:storable-configs-pluginmaven<= 1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper XML parser configuration (CWE-611). The advisory explicitly states the plugin doesn't disable XXE protections. While exact function names aren't provided, the core vulnerability pattern matches XML parsing functions handling user-controlled input without security flags like FEATURE_SECURE_PROCESSING or disallowing DTDs. The ConfigStorage class is a logical location for XML configuration handling in a 'Storable Configs' plugin. The high confidence comes from the direct match between the described vulnerability and the standard XXE attack pattern in XML parsing functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Stor**l* *on*i*s Plu*in *.* *n* **rli*r *o*s not *on*i*ur* its XML p*rs*r to pr*v*nt XML *xt*rn*l *ntity (XX*) *tt**ks. T*is *llows *tt**k*rs wit* It*m/*on*i*ur* p*rmission to **v* J*nkins p*rs* * *r**t** *il* t**t us*s *xt*rn*l *ntiti*s *or

Reasoning

T** vuln*r**ility st*ms *rom improp*r XML p*rs*r *on*i*ur*tion (*W*-***). T** **visory *xpli*itly st*t*s t** plu*in *o*sn't *is**l* XX* prot**tions. W*il* *x**t *un*tion n*m*s *r*n't provi***, t** *or* vuln*r**ility p*tt*rn m*t***s XML p*rsin* *un*ti