CVE-2020-2305
jenkins-2-plugins/mercurial: XML parser is not preventing XML external entity (XXE) attacks
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
Jenkins Mercurial Plugin versiones 2.11 y anteriores, no configura su analizador XML para impedir ataques de tipo XML external entity (XXE)
A flaw was found in the mercurial plugin in Jenkins. The XML changelog parser is not configured to prevent an XML external entity (XXE) attack allowing an attacker the ability to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. The highest threat from this vulnerability is to data confidentiality.
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include XML injection, crlf injection, and information leakage vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-12-05 CVE Reserved
- 2020-11-04 CVE Published
- 2024-08-04 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
References (3)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2115 | 2023-10-25 | |
| https://access.redhat.com/security/cve/CVE-2020-2305 | 2021-03-03 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1895940 | 2021-03-03 |