Attackers also could breach internal production data to compromise a corporate network using vulnerabilities found in the BrickLink online platform.

API flaws in a widely used Lego online marketplace could have allowed attackers to take over user accounts, leak sensitive data stored on the platform, and even gain access to internal production data to compromise corporate services, researchers have found.

Researchers from Salt Labs discovered the vulnerabilities in BrickLink, a digital resale platform owned by the Lego Group for buying and selling second-hand Legos, demonstrating that — technology-wise, anyway — not all of the company's toy pieces snap perfectly into place.

Salt Security's research arm discovered both vulnerabilities by investigating areas of the site that support user input fields, Shiran Yodev, Salts Labs security researcher, revealed in a report published on Dec. 15.

The researchers found each of the core flaws that could be exploited for attack in parts of the site that allow for user input, which they said is often a place where API security issues — a complex and costly problem for organizations — arise.

One flaw was a cross-site scripting (XSS) vulnerability that enabled them to inject and execute code on a victim end user’s machine through a crafted link, they said. The other allowed for the execution of an XML External Entity (XXE) injection attack, where an XML input containing a reference to an external entity is processed by a weakly configured XML parser.

**API Weaknesses Abound**

The researchers were careful to stress that they didn't intend to single out Lego as a particularly negligent technology provider — on the contrary, API flaws in Internet-facing applications are incredibly common, they said.

There is a key reason for that, Yodev tells Dark Reading**:** No matter the competency of an IT design and development team, API security is a new discipline that all Web developers and designers are still figuring out.

"We readily find these kinds of serious API vulnerabilities in all sorts of online services we investigate," he says. "Even companies with the most robust application security tooling and advanced security teams frequently have gaps in their API business logic."

And while both flaws could have been discovered easily through pre-production security testing, "API security is still an afterthought for many organizations," notes Scott Gerlach, co-founder and CSO at StackHawk, an API security testing provider.

"It usually doesn't come into play until after an API has already been deployed, or in other cases, organizations are using legacy tooling not built to test APIs thoroughly, leaving vulnerabilities like cross-site scripting and injection attacks undiscovered," he says.

**Personal Interest, Rapid Response**

The research to investigate Lego's BrickLink was not meant to shame and blame Lego or "make anyone look bad," but rather to demonstrate "how common these mistakes are and to educate companies on steps they can take to protect their key data and services," Yodev says.

The Lego Group is the world’s largest toy company and a massively recognizable brand that can indeed draw people's attention to the issue, the researchers said. The company earns billions of dollars in revenue per year, not only because of children's interest in using Legos but also as a result of an entire adult hobbyist community — of which Yodev admits he is one — that also collects and builds Lego sets.

Because of the popularity of Legos, BrickLink has more than 1 million members that use its site.

The researchers discovered the flaws on Oct. 18, and, to its credit, Lego responded quickly when Salt Security revealed the issues to the company on Oct. 23, confirming the disclosure within two days. Tests conducted by Salt Labs confirmed shortly after, on Nov. 10, that the issues had been resolved, the researchers said.

"However, due to Lego's internal policy, they cannot share any information regarding reported vulnerabilities, and we are therefore unable to positively confirm," Yodev acknowledges. Moreover, this policy also prevents Salt Labs from confirming or denying if attackers exploited either of the flaws in the wild, he says.

**Snapping Together the Vulnerabilities**

Researchers found the XSS flaw in the “Find Username” dialog box of BrickLinks' coupon search functionality, leading to an attack chain using a session ID exposed on a different page, they said.

"In the 'Find Username' dialog box, a user can write a free text that eventually ends up rendered into the webpage’s HTML," Yodev wrote. "Users can abuse this open field to input text that can lead to an XSS condition."

Though the researchers couldn't use the flaw on its own to mount an attack, they found an exposed session ID on a different page that they could combine with the XSS flaw to hijack a user's session and achieve account takeover (ATO), they explained.

"Bad actors could have used these tactics for full account takeover or to steal sensitive user data," Yodev wrote.

Researchers uncovered the second flaw in another part of the platform that receives direct user input, called "Upload to Wanted List," which allows BrickLink users to upload a list of wanted Lego parts and/or sets in XML format, they said.

The vulnerability was present due to how the site's XML parser uses XML External Entities, a part of the XML standard that defines a concept called an entity, or a storage unit of some type, Yodev explained in the post. In the case of the BrickLinks page, the implementation was vulnerable to a condition in which the XML processor may disclose confidential information that's typically not accessible by the application, he wrote.

Researchers exploited the flaw to mount an XXE injection attack that allows a system-file read with the permissions of the running user. This type of attack also can allow for an additional attack vector using server-side request forgery, which might enable an attacker to gain credentials for an application running on Amazon Web Services and thus breach an internal network, the researchers said.

**Avoiding Similar API Flaws**

Researchers shared some advice to help enterprises avoid creating similar API issues that can be exploited on Internet-facing applications in their own environments.

In the case of API vulnerabilities, attackers can inflict the most damage if they combine attacks on various issues or conduct them in quick succession, Yodev wrote, something the researchers demonstrated is the case with the Lego flaws.

To avoid the scenario created with the XSS flaw, organizations should follow the rule of thumb "to never trust user input," Yodev wrote. "Input should be properly sanitized and escaped," he added, referring organizations to the XSS Prevention Cheat Sheet by the Open Web Application Security Project (OWASP) for more information on this topic.

Organizations also should be careful in their implementation of session ID on Web-facing sites because it's "a common target for hackers," who can leverage it for session hijacking and account takeover, Yodev wrote.

"It is important to be very careful when handling it and not expose or misuse it for other purposes," he explained.

Finally, the easiest way to stop XXE injection attacks like the one researchers demonstrated is to completely disable External Entities in your XML parser’s configuration, the researchers said. The OWASP has another useful resource called the XXE Prevention Cheat Sheet that can guide organizations in this task, they added.

API Flaws in Lego Marketplace Put User Accounts, Data at Risk

WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

CVE-2022-3590

A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.

**Apache CXF Server-Side Request Forgery vulnerability**

High severity GitHub Reviewed Published Dec 13, 2022 • Updated Dec 13, 2022

GHSA-x3x3-qwjq-8gj4: Apache CXF Server-Side Request Forgery vulnerability

CVE-2022-46364: Apache CXF SSRF Vulnerability Severity: important Description: A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Credit: thanat0s from Beijin Qihoo 360 adlab (finder) (finder) References: https://cxf.apache.org/ https://www.cve.org/CVERecord?id=CVE-2022-46364

CVE-2022-46364

Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Plot build data' build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Plot Plugin 2.1.12 disables external entity resolution for its XML parser.



**Jenkins Plot Plugin XML External Entity Reference vulnerability**

High severity GitHub Reviewed Published Dec 12, 2022 • Updated Dec 12, 2022

GHSA-wgpp-g6v9-7hxp: Jenkins Plot Plugin XML External Entity Reference vulnerability

IBM Db2U 3.5, 4.0, and 4.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 237210.

**Security Bulletin**

  

**Summary**

IBM has released the below fix for IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data in response to multiple vulnerabilities found in multiple components.

**Vulnerability Details**

**CVEID:**   CVE-2016-1000023  
**DESCRIPTION:**   Minimatch is vulnerable to a denial of service, caused by a regular expression of minimatch.js. By using a specially crafted glob pattern, a remote attacker could exploit this vulnerability to cause the application to consume an overly large amount of CPU resources  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/118817 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-41296  
**DESCRIPTION:**   IBM Db2U is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237210 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

**CVEID:**   CVE-2021-21303  
**DESCRIPTION:**   Helm could allow a local authenticated attacker to bypass security restrictions, caused by the failure to sanitized multiple fields in various .yaml files. By sending a specially-crafted request, an attacker could exploit this vulnerability to send deceptive, obscure or alter information to a terminal screen.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196392 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)

**CVEID:**   CVE-2022-36055  
**DESCRIPTION:**   Helm is vulnerable to a denial of service, caused by a flaw in the strvals package. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause memory panics, and results in a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235100 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2021-32690  
**DESCRIPTION:**   Helm could allow a remote attacker to obtain sensitive information, caused by improper validation of user-supplied input by the index.yaml file. By gaining access to the chart archives, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.  
CVSS Base score: 6.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203901 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

**CVEID:**   CVE-2022-3172  
**DESCRIPTION:**   Kubernetes kube-apiserver is vulnerable to server-side request forgery, caused by a flaw with allowing an aggregated API server to redirect client traffic to any URL. By sending a specially-crafted request, an attacker could exploit this vulnerability to conduct SSRF attack to unexpected actions and the client's API server credentials to third parties.  
CVSS Base score: 5.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236344 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L)

**CVEID:**   CVE-2022-29526  
**DESCRIPTION:**   Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw in the Faccessat function when called with a non-zero flags parameter. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain accessible file information, and use this information to launch further attacks against the affected system.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229593 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2022-30633  
**DESCRIPTION:**   Golang Go is vulnerable to a denial of service, caused by an uncontrolled recursion flaw in Unmarshal in encoding/xml due to stack exhaustion. By parsing a specially-crafted XML document, a remote attacker could exploit this vulnerability to cause a panic.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/233146 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-28131  
**DESCRIPTION:**   Golang Go is vulnerable to a denial of service, caused by an uncontrolled recursion flaw in Decoder.Skip in encoding/xml due to stack exhaustion. By parsing a specially-crafted XML document, a remote attacker could exploit this vulnerability to cause a panic.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/233141 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-27664  
**DESCRIPTION:**   Golang Go is vulnerable to a denial of service, caused by a flaw in net/http. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a closing HTTP/2 server connection to hang, and results in a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235355 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-41297  
**DESCRIPTION:**   IBM Db2U is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.  
CVSS Base score: 4.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237212 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

**IBM X-Force ID:**   221551  
**DESCRIPTION:**   Helm could allow a remote authenticated attacker to obtain sensitive information, caused by repository credentials being passed to alternate domain. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221551 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

All platforms of the following IBM® Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data refresh levels are affected:

Release

Version

IBM® Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data

v3.5 through refresh 10  
v4.0 through refresh 9  
v4.5 through refresh 3

  

**Remediation/Fixes**

IBM strongly recommends addressing the vulnerability now by upgrading to the latest IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data release containing the fix for these issues. It can be applied to any affected fixpack and refresh level of the appropriate release.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

30 Nov 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSC8M7","label":"IBM Db2 Advanced Edition Cartridge for IBM Cloud Pak for Data"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"All","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSSAIKN","label":"IBM Db2 Warehouse Cartridge for IBM Cloud Pak for Data"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"All","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2022-41296: Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data

Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Checkmarx Plugin
*   Custom Build Properties Plugin
*   Gitea Plugin
*   Google Login Plugin
*   Plot Plugin
*   Sonar Gerrit Plugin
*   Spring Config Plugin

**Descriptions****XXE vulnerability in Plot Plugin**

**SECURITY-2940 / CVE-2022-46682**  
**Severity (CVSS):** High  
**Affected plugin: plot**  
**Description:**

Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Plot build data' build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Plot Plugin 2.1.12 disables external entity resolution for its XML parser.

**Open redirect vulnerability in Google Login Plugin**

**SECURITY-2967 / CVE-2022-46683**  
**Severity (CVSS):** Medium  
**Affected plugin: google-login**  
**Description:**

Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

Google Login Plugin 1.7 only redirects to relative (Jenkins) URLs.

**Stored XSS vulnerability in Checkmarx Plugin**

**SECURITY-2869 / CVE-2022-46684**  
**Severity (CVSS):** High  
**Affected plugin: checkmarx**  
**Description:**

Checkmarx Plugin processes Checkmarx service API responses and generates HTML reports from them for rendering on the Jenkins UI.

Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports. This results in a stored cross-site scripting (XSS) vulnerability.

While Jenkins users without Overall/Administer permission are not allowed to configure the URL to the Checkmarx service, this could still be exploited via man-in-the-middle attacks.

Checkmarx Plugin 2022.4.3 escapes values returned from the Checkmarx service API before inserting them into HTML reports.

**Improper credentials masking in Gitea Plugin**

**SECURITY-2661 / CVE-2022-46685**  
**Severity (CVSS):** Medium  
**Affected plugin: gitea**  
**Description:**

Gitea Plugin support authentication with Gitea personal access tokens.

In Gitea Plugin 1.4.4 and earlier, the implementation of these tokens did not support credentials masking. This can expose Gitea personal access tokens in the build log, e.g., when printed as part of repository URLs.

Gitea Plugin 1.4.5 adds support for masking of Gitea personal access tokens.

Administrators unable to update are advised to use SSH checkout instead.

**Stored XSS vulnerability in Custom Build Properties Plugin**

**SECURITY-2810 / CVE-2022-46686**  
**Severity (CVSS):** High  
**Affected plugin: custom-build-properties**  
**Description:**

Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values.

Custom Build Properties Plugin 2.82.v16d5b\_d3590c7 escapes property values and build display names on the Custom Build Properties and Build Summary pages.

**Stored XSS vulnerability in Spring Config Plugin**

**SECURITY-2814 / CVE-2022-46687**  
**Severity (CVSS):** High  
**Affected plugin: spring-config**  
**Description:**

Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names.

Spring Config Plugin 2.0.1 escapes build display names shown on the Spring Config view.

**CSRF vulnerability in Sonar Gerrit Plugin**

**SECURITY-1002 / CVE-2022-46688**  
**Severity (CVSS):** Medium  
**Affected plugin: sonar-gerrit**  
**Description:**

Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.

**Severity**

*   SECURITY-1002: Medium
*   SECURITY-2661: Medium
*   SECURITY-2810: High
*   SECURITY-2814: High
*   SECURITY-2869: High
*   SECURITY-2940: High
*   SECURITY-2967: Medium

**Affected Versions**

*   **Checkmarx Plugin** up to and including 2022.3.3
*   **Custom Build Properties Plugin** up to and including 2.79.vc095ccc85094
*   **Gitea Plugin** up to and including 1.4.4
*   **Google Login Plugin** up to and including 1.6
*   **Plot Plugin** up to and including 2.1.11
*   **Sonar Gerrit Plugin** up to and including 377.v8f3808963dc5
*   **Spring Config Plugin** up to and including 2.0.0

**Fix**

*   **Checkmarx Plugin** should be updated to version 2022.4.3
*   **Custom Build Properties Plugin** should be updated to version 2.82.v16d5b\_d3590c7
*   **Gitea Plugin** should be updated to version 1.4.5
*   **Google Login Plugin** should be updated to version 1.7
*   **Plot Plugin** should be updated to version 2.1.12
*   **Spring Config Plugin** should be updated to version 2.0.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Sonar Gerrit Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Asi Greenholts of Cider Security** for SECURITY-2661
*   **CC Bomber, Kitri BoB** for SECURITY-2940
*   **Kevin Guerroudj, CloudBees, Inc. and Valdes Che Zogou, CloudBees, Inc.** for SECURITY-2810, SECURITY-2869
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1002
*   **Valdes Che Zogou, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-2814
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2967

CVE-2022-46683: Jenkins Security Advisory 2022-12-07

Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-46682: Jenkins Security Advisory 2022-12-07

Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names.

CVE-2022-46687: Jenkins Security Advisory 2022-12-07

Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values.

Tag

#ssrf