CVE-2022-30971: XML External Entity Reference in Jenkins Storable Configs Plugin
7.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.81216%
CWE
Published
5/18/2022
Updated
1/28/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jvnet.hudson.plugins:storable-configs-plugin | maven | <= 1.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper XML parser configuration (CWE-611). The advisory explicitly states the plugin doesn't disable XXE protections. While exact function names aren't provided, the core vulnerability pattern matches XML parsing functions handling user-controlled input without security flags like FEATURE_SECURE_PROCESSING or disallowing DTDs. The ConfigStorage class is a logical location for XML configuration handling in a 'Storable Configs' plugin. The high confidence comes from the direct match between the described vulnerability and the standard XXE attack pattern in XML parsing functions.