6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-37942

GHSA ID

GHSA-g4c3-4f3v-84x8

EPSS Score

0.15729%

CWE

CWE-611

Published

7/12/2023

Updated

11/7/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-37942

CVE-2023-37942: Jenkins External Monitor Job Type Plugin XML external entity vulnerability

Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Item/Build permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

External Monitor Job Type Plugin 207.v98a_a_37a_85525 disables external entity resolution for its XML parser.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-37942

CVE-2023-37942:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-37942

GHSA ID

GHSA-g4c3-4f3v-84x8

EPSS Score

0.15729%

CWE

CWE-611

Published

7/12/2023

Updated

11/7/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:external-monitor-job	maven	< 207.v98a	207.v98a

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure XML parsing in HTTP request handlers and build data deserialization. The advisory explicitly states the patched version 'disables external entity resolution for its XML parser', indicating the vulnerable code paths involve XML processing without FEATURE_SECURE_PROCESSING or explicit entity disabling. The doSubmit method is the primary entry point for external job submissions, while readFromStream handles build data persistence - both would require XML parser configuration changes as described in the security advisory. Confidence is high for the HTTP handler method due to direct attacker control, and medium for the deserialization method based on typical plugin architecture.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-37942: Jenkins External Monitor Job Type Plugin XML external entity vulnerability

CVE-2023-37942:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-37942: Jenkins External Monitor Job Type Plugin XML external entity vulnerability

6.5

6.5

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI