Bug 1895940 (CVE-2020-2305)

Summary: CVE-2020-2305 jenkins-2-plugins/mercurial: XML parser is not preventing XML external entity (XXE) attacks
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abenaiss, aos-bugs, bmontgom, eparis, jburrell, jokerman, nstielau, pbhattac, sponnaga, vbobade
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mercurial 2.12 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the mercurial plugin in Jenkins. The XML changelog parser is not configured to prevent an XML external entity (XXE) attack allowing an attacker the ability to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-18 23:59:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1896401, 1896402, 1896403, 1896404, 1896405, 1899752, 1899754    
Bug Blocks: 1895944    

Description Michael Kaplan 2020-11-09 13:59:56 UTC 
Mercurial Plugin 2.11 and earlier does not configure its XML changelog parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Comment 1 Michael Kaplan 2020-11-09 14:00:00 UTC 
External References:

https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2115
Comment 3 Przemyslaw Roguski 2020-11-10 14:33:25 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 4 errata-xmlrpc 2021-01-18 16:03:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0038 https://access.redhat.com/errata/RHSA-2021:0038
Comment 5 Product Security DevOps Team 2021-01-18 23:59:21 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-2305
Comment 6 errata-xmlrpc 2021-01-20 04:37:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2021:0034 https://access.redhat.com/errata/RHSA-2021:0034
Comment 8 errata-xmlrpc 2021-02-03 09:44:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2021:0282 https://access.redhat.com/errata/RHSA-2021:0282
Comment 9 errata-xmlrpc 2021-03-03 12:27:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2021:0637 https://access.redhat.com/errata/RHSA-2021:0637