Bug 1895940 (CVE-2020-2305) - CVE-2020-2305 jenkins-2-plugins/mercurial: XML parser is not preventing XML external entity (XXE) attacks
Summary: CVE-2020-2305 jenkins-2-plugins/mercurial: XML parser is not preventing XML e...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-2305
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1896401 1896402 1896403 1896404 1896405 1899752 1899754
Blocks: 1895944
TreeView+ depends on / blocked
 
Reported: 2020-11-09 13:59 UTC by Michael Kaplan
Modified: 2021-06-16 01:15 UTC (History)
10 users (show)

Fixed In Version: mercurial 2.12
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the mercurial plugin in Jenkins. The XML changelog parser is not configured to prevent an XML external entity (XXE) attack allowing an attacker the ability to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2021-01-18 23:59:21 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:0432 0 None None None 2021-02-08 09:48:07 UTC
Red Hat Product Errata RHSA-2021:0034 0 None None None 2021-01-20 04:37:05 UTC
Red Hat Product Errata RHSA-2021:0038 0 None None None 2021-01-18 16:03:06 UTC
Red Hat Product Errata RHSA-2021:0282 0 None None None 2021-02-03 09:44:31 UTC
Red Hat Product Errata RHSA-2021:0637 0 None None None 2021-03-03 12:27:15 UTC

Description Michael Kaplan 2020-11-09 13:59:56 UTC
Mercurial Plugin 2.11 and earlier does not configure its XML changelog parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Comment 1 Michael Kaplan 2020-11-09 14:00:00 UTC
External References:

https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2115

Comment 3 Przemyslaw Roguski 2020-11-10 14:33:25 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 4 errata-xmlrpc 2021-01-18 16:03:03 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0038 https://access.redhat.com/errata/RHSA-2021:0038

Comment 5 Product Security DevOps Team 2021-01-18 23:59:21 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-2305

Comment 6 errata-xmlrpc 2021-01-20 04:37:03 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2021:0034 https://access.redhat.com/errata/RHSA-2021:0034

Comment 8 errata-xmlrpc 2021-02-03 09:44:28 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2021:0282 https://access.redhat.com/errata/RHSA-2021:0282

Comment 9 errata-xmlrpc 2021-03-03 12:27:12 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2021:0637 https://access.redhat.com/errata/RHSA-2021:0637


Note You need to log in before you can comment on or make changes to this bug.