Vulnerabilities > CVE-2023-41932 - XXE vulnerability in Jenkins JOB Configuration History

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

jenkins

CWE-611

NVD

Published: 2023-09-06

Updated: 2023-09-11

Summary

Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called 'history.xml'.

Vulnerable Configurations

Part	Description	Count
Application	Jenkins Jenkins JOB Configuration History 1.9 Jenkins JOB Configuration History 1.10 Jenkins JOB Configuration History 1.11 Jenkins JOB Configuration History 1.12 Jenkins JOB Configuration History 1.13 Jenkins JOB Configuration History 2.0 Jenkins JOB Configuration History 2.1 Jenkins JOB Configuration History 2.1.1 Jenkins JOB Configuration History 2.2 Jenkins JOB Configuration History 2.3 Jenkins JOB Configuration History 2.4 Jenkins JOB Configuration History 2.5 Jenkins JOB Configuration History 2.6 Jenkins JOB Configuration History 2.8 Jenkins JOB Configuration History 2.9 Jenkins JOB Configuration History 2.10 Jenkins JOB Configuration History 2.11 Jenkins JOB Configuration History 2.12 Jenkins JOB Configuration History 2.13 Jenkins JOB Configuration History 2.14 Jenkins JOB Configuration History 2.15 Jenkins JOB Configuration History 2.16 Jenkins JOB Configuration History 2.17 Jenkins JOB Configuration History 2.18 Jenkins JOB Configuration History 2.18.1 Jenkins JOB Configuration History 2.18.2 Jenkins JOB Configuration History 2.18.3 Jenkins JOB Configuration History 2.19 Jenkins JOB Configuration History 2.20 Jenkins JOB Configuration History 2.21 Jenkins JOB Configuration History 2.22 Jenkins JOB Configuration History 2.23 Jenkins JOB Configuration History 2.23.1 Jenkins JOB Configuration History 2.24 Jenkins JOB Configuration History 2.25 Jenkins JOB Configuration History 2.26 Jenkins JOB Configuration History 2.27 Jenkins JOB Configuration History 2.28 Jenkins JOB Configuration History 2.28.1 Jenkins JOB Configuration History 2.29 Jenkins JOB Configuration History 2.29-Rc1073.41Ef89Cf4E15 Jenkins JOB Configuration History 2.30 Jenkins JOB Configuration History 2.31-Rc1092.De9E11Acbcf3 Jenkins JOB Configuration History 2.31-Rc1098.B666422863B2 Jenkins JOB Configuration History 2.31-Rc1107.2354F08725A_8 Jenkins JOB Configuration History 2.31-Rc1118.Fdcd7D8898Ff Jenkins JOB Configuration History 1119.V509E1017356B_ Jenkins JOB Configuration History 1133.V0F5420F85053 Jenkins JOB Configuration History 1139.V888B_656Ca_F6D Jenkins JOB Configuration History 1146.V94C2521F9213 Jenkins JOB Configuration History 1155.V28A_46A_Cc06A_5 Jenkins JOB Configuration History 1156.V536A_97B_8D649 Jenkins JOB Configuration History 1163.Ve82C7C6E60A_3 Jenkins JOB Configuration History 1165.V8Cc9Fd1F4597 Jenkins JOB Configuration History 1166.Vc9F255F45B_8A Jenkins JOB Configuration History 1170.V8A_C085B_Dd49C Jenkins JOB Configuration History 1171.V04B_66D78555E Jenkins JOB Configuration History 1176.V1B_4290Db_41A_5 Jenkins JOB Configuration History 1183.V6E2785Ff75E0 Jenkins JOB Configuration History 1187.V2A_B_1Ca_54D18D Jenkins JOB Configuration History 1191.V168C8C2B_956A Jenkins JOB Configuration History 1198.V4D5736C2308C Jenkins JOB Configuration History 1206.Vc8967Cc8A_2Cb Jenkins JOB Configuration History 1207.Vd28A_54732F92 Jenkins JOB Configuration History 1212.Vd4470D08Ff12 Jenkins JOB Configuration History 1227.V7A_79Fc4Dc01F	66

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References