ID CVE-2023-28682
Summary Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
References
Vulnerable Configurations
  • cpe:2.3:a:jenkins:performance_publisher:-:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:performance_publisher:-:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:performance_publisher:8.01:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:performance_publisher:8.01:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:performance_publisher:8.02:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:performance_publisher:8.02:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:performance_publisher:8.03:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:performance_publisher:8.03:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:performance_publisher:8.04:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:performance_publisher:8.04:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:performance_publisher:8.05:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:performance_publisher:8.05:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:performance_publisher:8.06:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:performance_publisher:8.06:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:performance_publisher:8.07:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:performance_publisher:8.07:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:performance_publisher:8.08:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:performance_publisher:8.08:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:performance_publisher:8.09:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:performance_publisher:8.09:*:*:*:*:jenkins:*:*
CVSS
Base: None
Impact:
Exploitability:
CWE CWE-611
CAPEC
  • XML External Entities Blowup
    This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
Access
VectorComplexityAuthentication
Impact
ConfidentialityIntegrityAvailability
Last major update 09-04-2023 - 01:52
Published 02-04-2023 - 21:15
Last modified 09-04-2023 - 01:52
Back to Top