Skip to main content

Rundeck CVE-2020-2144

HIGH
Improper Restriction of XML External Entity Reference (CWE-611)
2020-03-09 jenkinsci-cert@googlegroups.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Mar 09, 2020 - 16:15 nvd
HIGH 7.1

DescriptionNVD

Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

AnalysisAI

Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as XML External Entity (XXE) (CWE-611), which allows attackers to read arbitrary files or perform SSRF through XML processing. Jenkins Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Affected products include: Jenkins Rundeck.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Disable external entity processing in XML parsers, use JSON instead of XML where possible.

CVE-2019-6804 MEDIUM POC
6.1 Jan 25

An XSS issue was discovered on the Job Edit page in Rundeck Community Edition before 3.0.13, related to assets/javascrip

CVE-2022-29186 CRITICAL
9.8 May 20

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated critical severit

CVE-2022-41234 HIGH
8.8 Sep 21

Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing use

CVE-2021-39132 HIGH
8.8 Aug 30

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated high severity (C

CVE-2022-31044 HIGH
7.5 Jun 15

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated high severity (C

CVE-2021-39133 MEDIUM
6.8 Aug 30

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated medium severity

CVE-2020-11009 MEDIUM
6.5 Apr 29

In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and logs and Job de

CVE-2019-16556 MEDIUM
6.5 Dec 17

Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job conf

CVE-2023-48222 MEDIUM
5.4 Nov 16

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated medium severity

CVE-2022-30956 MEDIUM
5.4 May 17

Jenkins Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions, resulting in a s

CVE-2023-47112 MEDIUM
4.3 Nov 16

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rated medium severity

CVE-2022-41233 MEDIUM
4.3 Sep 21

Jenkins Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints, a

Share

CVE-2020-2144 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy