7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-30971

GHSA ID

GHSA-wqmp-2p5r-rhfv

EPSS Score

0.81216%

CWE

CWE-611

Published

5/18/2022

Updated

1/28/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-30971

CVE-2022-30971:
XML External Entity Reference in Jenkins Storable Configs Plugin

Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Item/Configure permission to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

(GitHub Advisory)

7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-30971

GHSA ID

GHSA-wqmp-2p5r-rhfv

EPSS Score

0.81216%

CWE

CWE-611

Published

5/18/2022

Updated

1/28/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jvnet.hudson.plugins:storable-configs-plugin	maven	<= 1.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper XML parser configuration (CWE-611). The advisory explicitly states the plugin doesn't disable XXE protections. While exact function names aren't provided, the core vulnerability pattern matches XML parsing functions handling user-controlled input without security flags like FEATURE_SECURE_PROCESSING or disallowing DTDs. The ConfigStorage class is a logical location for XML configuration handling in a 'Storable Configs' plugin. The high confidence comes from the direct match between the described vulnerability and the standard XXE attack pattern in XML parsing functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Stor**l* *on*i*s Plu*in *.* *n* **rli*r *o*s not *on*i*ur* its XML p*rs*r to pr*v*nt XML *xt*rn*l *ntity (XX*) *tt**ks. T*is *llows *tt**k*rs wit* It*m/*on*i*ur* p*rmission to **v* J*nkins p*rs* * *r**t** *il* t**t us*s *xt*rn*l *ntiti*s *or

Reasoning

T** vuln*r**ility st*ms *rom improp*r XML p*rs*r *on*i*ur*tion (*W*-***). T** **visory *xpli*itly st*t*s t** plu*in *o*sn't *is**l* XX* prot**tions. W*il* *x**t *un*tion n*m*s *r*n't provi***, t** *or* vuln*r**ility p*tt*rn m*t***s XML p*rsin* *un*ti

7.1

Basic Information

Concerned about an active attack path?

CVE-2022-30971: XML External Entity Reference in Jenkins Storable Configs Plugin

7.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-30971:
XML External Entity Reference in Jenkins Storable Configs Plugin

Vulnerability Intelligence
Miggo AI