CVE-2021-21658 — XML external entity vulnerability in Jenkins Nuget Plugin

Description

Jenkins Nuget Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This XML parser is used for the \"Build on NuGet updates\" feature. This allows attackers with the ability to control the contents of the `packages.config` file in a workspace to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Jenkins Nuget Plugin 1.1 disables external entity resolution for its XML parser.

How to fix CVE-2021-21658

To remediate CVE-2021-21658, upgrade the affected package to a fixed version below.

—upgrade to 1.1 or later

Is CVE-2021-21658 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21658
PATCHgithub.com/jenkinsci/nuget-plugin
WEBgithub.com/jenkinsci/nuget-plugin/commit/542bf38ac52f045741a5670e1644af351878f7e0
WEBgithub.com/jenkinsci/nuget-plugin/commit/c8ed4cb5b1c42f3c407f9f418b4e0b4274bea5a9