{
  "threat_severity" : "Important",
  "public_date" : "2020-11-04T00:00:00Z",
  "bugzilla" : {
    "description" : "jenkins-2-plugins/mercurial: XML parser is not preventing XML external entity (XXE) attacks",
    "id" : "1895940",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1895940"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-611",
  "details" : [ "Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.", "A flaw was found in the mercurial plugin in Jenkins. The XML changelog parser is not configured to prevent an XML external entity (XXE) attack allowing an attacker the ability to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. The highest threat from this vulnerability is to data confidentiality." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "release_date" : "2021-03-03T00:00:00Z",
    "advisory" : "RHSA-2021:0637",
    "cpe" : "cpe:/a:redhat:openshift:3.11::el7",
    "package" : "jenkins-2-plugins-0:3.11.1612862361-1.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.4",
    "release_date" : "2021-02-03T00:00:00Z",
    "advisory" : "RHSA-2021:0282",
    "cpe" : "cpe:/a:redhat:openshift:4.4::el7",
    "package" : "jenkins-2-plugins-0:4.4.1611203637-1.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.5",
    "release_date" : "2021-01-20T00:00:00Z",
    "advisory" : "RHSA-2021:0034",
    "cpe" : "cpe:/a:redhat:openshift:4.5::el7",
    "package" : "jenkins-2-plugins-0:4.5.1610108899-1.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.6",
    "release_date" : "2021-01-18T00:00:00Z",
    "advisory" : "RHSA-2021:0038",
    "cpe" : "cpe:/a:redhat:openshift:4.6::el7",
    "package" : "jenkins-2-plugins-0:4.6.1608634578-1.el7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-2305\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-2305\nhttps://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2115" ],
  "name" : "CVE-2020-2305",
  "mitigation" : {
    "value" : "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.",
    "lang" : "en:us"
  },
  "csaw" : false
}