CVE-2020-2284 — XXE vulnerability in Jenkins Liquibase Runner Plugin

Description

Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to provide Liquibase changesets evaluated by the plugin to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Jenkins Liquibase Runner Plugin 1.4.7 no longer parses Liquibase changesets.

How to fix CVE-2020-2284

To remediate CVE-2020-2284, upgrade the affected package to a fixed version below.

—upgrade to 1.4.7 or later

Is CVE-2020-2284 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.4.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2284
PATCHgithub.com/jenkinsci/liquibase-runner-plugin
WEBwww.jenkins.io/security/advisory/2020-09-23/#SECURITY-1887
WEBwww.openwall.com/lists/oss-security/2020/09/23/1