CSRF vulnerability in Jenkins Chef Sinatra Plugin allow XXE
High severity
GitHub Reviewed
Published
Feb 16, 2022
to the GitHub Advisory Database
•
Updated Oct 27, 2023
Package
Affected versions
<= 1.20
Patched versions
None
Description
Published by the National Vulnerability Database
Feb 15, 2022
Published to the GitHub Advisory Database
Feb 16, 2022
Reviewed
Dec 1, 2022
Last updated
Oct 27, 2023
Jenkins Chef Sinatra Plugin 1.20 and earlier does not perform a permission check in a method implementing form validation.
This allows attackers with Overall/Read permission to have Jenkins send an HTTP request to an attacker-controlled URL and have it parse the response as XML.
As the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, attackers can have Jenkins parse a crafted XML response that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
References