Miggo Logo
Miggo Vulnerability Database
CVE-2023-24441

CVE-2023-24441: XML external entity vulnerability on agents in Jenkins MSTest Plugin

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-24441
GHSA ID
GHSA-3ppr-72x5-x67q
EPSS Score
0.27359%
CWE
CWE-776
Published
1/26/2023
Updated
1/4/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jvnet.hudson.plugins:mstestmaven< 1.0.11.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure XML parser configuration. The commit diff shows security hardening in these specific functions by adding: 1) disallow-doctype-decl feature, 2) external entity disabling, and 3) secure processing flags. The affected functions handle XML parsing/transformation of test reports without these protections in vulnerable versions, making them the entry points for XXE exploitation. The patch directly modifies these functions to add security features, confirming their vulnerable status pre-1.0.1.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins MST*st Plu*in *.*.* *n* **rli*r *o*s not *on*i*ur* its XML p*rs*r to pr*v*nt XML *xt*rn*l *ntity (XX*) *tt**ks.

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rs*r *on*i*ur*tion. T** *ommit *i** s*ows s**urity **r**nin* in t**s* sp**i*i* *un*tions *y ***in*: *) *is*llow-*o*typ*-***l ***tur*, *) *xt*rn*l *ntity *is**lin*, *n* *) s**ur* pro**ssin* *l**s. T** *****t