Bug 1952146 (CVE-2021-21642) - CVE-2021-21642 jenkins-2-plugins/config-file-provider: Does not configure its XML parser to prevent XML external entity (XXE) attacks.
Summary: CVE-2021-21642 jenkins-2-plugins/config-file-provider: Does not configure its...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-21642
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1952560 1952561 1952562 1952563 1952564
Blocks: 1952147
TreeView+ depends on / blocked
 
Reported: 2021-04-21 15:36 UTC by Michael Kaplan
Modified: 2021-07-20 14:35 UTC (History)
10 users (show)

Fixed In Version: config-file-provider 3.7.1
Clone Of:
Environment:
Last Closed: 2021-06-01 05:32:01 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2431 0 None None None 2021-07-02 00:18:28 UTC
Red Hat Product Errata RHSA-2021:2517 0 None None None 2021-06-30 15:45:47 UTC

Description Michael Kaplan 2021-04-21 15:36:55 UTC
Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Comment 1 Michael Kaplan 2021-04-21 15:37:35 UTC
External References:

https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2204

Comment 2 Przemyslaw Roguski 2021-04-22 13:50:52 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 5 errata-xmlrpc 2021-06-01 04:09:05 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:2122 https://access.redhat.com/errata/RHSA-2021:2122

Comment 6 Product Security DevOps Team 2021-06-01 05:32:01 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-21642

Comment 8 errata-xmlrpc 2021-06-30 15:45:39 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2021:2517 https://access.redhat.com/errata/RHSA-2021:2517

Comment 9 errata-xmlrpc 2021-07-02 00:18:26 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2021:2431 https://access.redhat.com/errata/RHSA-2021:2431


Note You need to log in before you can comment on or make changes to this bug.