CVE-2020-2315 — XXE vulnerability in Jenkins Visualworks Store Plugin

Description

Jenkins Visualworks Store Plugin 1.1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers with the ability to control the output of a script that run Visualworks with StoreCI, or able to control an agent process, to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Jenkins Visualworks Store Plugin 1.1.4 disables external entity resolution for its XML parser.

How to fix CVE-2020-2315

To remediate CVE-2020-2315, upgrade the affected package to a fixed version below.

—upgrade to 1.1.4 or later

Is CVE-2020-2315 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.1.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2315
PATCHgithub.com/jenkinsci/visualworks-store-plugin
WEBgithub.com/jenkinsci/visualworks-store-plugin/commit/267bb709c3412f6517b4631c867d16eb72af6d69
WEBwww.jenkins.io/security/advisory/2020-11-04/#SECURITY-1900