{"containers": {"cna": {"affected": [{"product": "Jenkins Subversion Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "2.13.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T16:08:54.411Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2145"}, {"name": "[oss-security] 20201104 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2020/11/04/6"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2020-2304", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins Subversion Plugin", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.13.1"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-611: Improper Restriction of XML External Entity Reference"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2145", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2145"}, {"name": "[oss-security] 20201104 Multiple vulnerabilities in Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/11/04/6"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T07:09:53.361Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2145"}, {"name": "[oss-security] 20201104 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2020/11/04/6"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2020-2304", "datePublished": "2020-11-04T14:35:38", "dateReserved": "2019-12-05T00:00:00", "dateUpdated": "2024-08-04T07:09:53.361Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:subversion:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "47C9F20B-3D87-495C-8021-FBF7204ADFB3", "versionEndIncluding": "2.13.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks."}, {"lang": "es", "value": "Jenkins Subversion Plugin versiones 2.13.1 y anteriores, no configura su analizador XML para impedir ataques de tipo XML external entity (XXE)"}], "id": "CVE-2020-2304", "lastModified": "2023-10-25T18:16:42.507", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-04T15:15:11.397", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/11/04/6"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2145"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified"}

{"affected_release": [{"advisory": "RHSA-2021:0637", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "jenkins-2-plugins-0:3.11.1612862361-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2021-03-03T00:00:00Z"}, {"advisory": "RHSA-2021:0282", "cpe": "cpe:/a:redhat:openshift:4.4::el7", "package": "jenkins-2-plugins-0:4.4.1611203637-1.el7", "product_name": "Red Hat OpenShift Container Platform 4.4", "release_date": "2021-02-03T00:00:00Z"}, {"advisory": "RHSA-2021:0034", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "jenkins-2-plugins-0:4.5.1610108899-1.el7", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2021-01-20T00:00:00Z"}, {"advisory": "RHSA-2021:0038", "cpe": "cpe:/a:redhat:openshift:4.6::el7", "package": "jenkins-2-plugins-0:4.6.1609853716-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2021-01-18T00:00:00Z"}], "bugzilla": {"description": "jenkins-2-plugins/subversion: XML parser is not preventing XML external entity (XXE) attacks", "id": "1895939", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1895939"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-611", "details": ["Jenkins Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.", "A flaw was found in the subversion Jenkins plugin. The XML parser is not properly configured to prevent XML external entity (XXE) attacks allowing an attacker the ability to control an agent process and have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. The highest threat from this vulnerability is to data confidentiality."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible."}, "name": "CVE-2020-2304", "public_date": "2020-11-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-2304\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-2304\nhttps://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2145"], "threat_severity": "Important", "upstream_fix": "subversion 2.13.2"}