CVE-2021-43576: Improper Restriction of XML External Entity Reference

November 12, 2021 (updated November 22, 2023)

Jenkins pom2config Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

References

www.openwall.com/lists/oss-security/2021/11/12/1
nvd.nist.gov/vuln/detail/CVE-2021-43576
www.jenkins.io/security/advisory/2021-11-12/
www.zerodayinitiative.com/advisories/ZDI-21-1314/

Detect and mitigate CVE-2021-43576 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →