{"containers": {"cna": {"affected": [{"product": "Jenkins Mercurial Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "2.11", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"status": "unaffected", "version": "2.10.1"}, {"status": "unaffected", "version": "2.9.1"}, {"status": "unaffected", "version": "2.8.1"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T16:08:55.554Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2115"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2020-2305", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins Mercurial Plugin", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.11"}, {"version_affected": "!", "version_value": "2.10.1"}, {"version_affected": "!", "version_value": "2.9.1"}, {"version_affected": "!", "version_value": "2.8.1"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-611: Improper Restriction of XML External Entity Reference"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2115", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2115"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T07:09:53.308Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2115"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2020-2305", "datePublished": "2020-11-04T14:35:39", "dateReserved": "2019-12-05T00:00:00", "dateUpdated": "2024-08-04T07:09:53.308Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:mercurial:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "9780F799-5C84-4C1C-ACA2-B1CCA5F4330B", "versionEndIncluding": "2.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks."}, {"lang": "es", "value": "Jenkins Mercurial Plugin versiones 2.11 y anteriores, no configura su analizador XML para impedir ataques de tipo XML external entity (XXE)"}], "id": "CVE-2020-2305", "lastModified": "2023-10-25T18:16:42.567", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-04T15:15:11.490", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2115"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified"}

{"affected_release": [{"advisory": "RHSA-2021:0637", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "jenkins-2-plugins-0:3.11.1612862361-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2021-03-03T00:00:00Z"}, {"advisory": "RHSA-2021:0282", "cpe": "cpe:/a:redhat:openshift:4.4::el7", "package": "jenkins-2-plugins-0:4.4.1611203637-1.el7", "product_name": "Red Hat OpenShift Container Platform 4.4", "release_date": "2021-02-03T00:00:00Z"}, {"advisory": "RHSA-2021:0034", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "jenkins-2-plugins-0:4.5.1610108899-1.el7", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2021-01-20T00:00:00Z"}, {"advisory": "RHSA-2021:0038", "cpe": "cpe:/a:redhat:openshift:4.6::el7", "package": "jenkins-2-plugins-0:4.6.1609853716-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2021-01-18T00:00:00Z"}], "bugzilla": {"description": "jenkins-2-plugins/mercurial: XML parser is not preventing XML external entity (XXE) attacks", "id": "1895940", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1895940"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-611", "details": ["Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.", "A flaw was found in the mercurial plugin in Jenkins. The XML changelog parser is not configured to prevent an XML external entity (XXE) attack allowing an attacker the ability to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. The highest threat from this vulnerability is to data confidentiality."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible."}, "name": "CVE-2020-2305", "public_date": "2020-11-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-2305\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-2305\nhttps://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2115"], "threat_severity": "Important", "upstream_fix": "mercurial 2.12"}