Mercurial Plugin 2.11 and earlier does not configure its XML changelog parser to prevent XML external entity (XXE) attacks. This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
External References: https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2115
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:0038 https://access.redhat.com/errata/RHSA-2021:0038
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-2305
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2021:0034 https://access.redhat.com/errata/RHSA-2021:0034
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2021:0282 https://access.redhat.com/errata/RHSA-2021:0282
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2021:0637 https://access.redhat.com/errata/RHSA-2021:0637