CVE-2022-45397 - Vulnerability Details - OpenCVE

Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Jenkins	Osf Builder Suite \

Configuration 1 [-]

cpe:2.3:a:jenkins:osf_builder_suite_\:\:_xml_linter:*:*:*:*:*:jenkins:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2022/11/15/4
https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2937

History

Wed, 30 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: jenkins

Published: 2022-11-15T00:00:00.000Z

Updated: 2025-04-30T16:04:59.949Z

Reserved: 2022-11-14T00:00:00.000Z

Link: CVE-2022-45397

Vulnrichment

Updated: 2024-08-03T14:09:57.039Z

NVD

Status : Modified

Published: 2022-11-15T20:15:14.190

Modified: 2025-04-30T16:15:32.080

Link: CVE-2022-45397

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-45397", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "dateUpdated": "2025-04-30T16:04:59.949Z", "dateReserved": "2022-11-14T00:00:00.000Z", "datePublished": "2022-11-15T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"product": "Jenkins OSF Builder Suite : : XML Linter Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "1.0.2", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "unknown", "version": "next of 1.0.2", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T14:26:29.291Z"}, "references": [{"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2937"}, {"name": "[oss-security] 20221115 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/11/15/4"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:09:57.039Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2937", "tags": ["x_transferred"]}, {"name": "[oss-security] 20221115 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/11/15/4"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-611", "lang": "en", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-30T16:04:42.480098Z", "id": "CVE-2022-45397", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-30T16:04:59.949Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2937", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2022/11/15/4", "name": "[oss-security] 20221115 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:09:57.039Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-45397", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-30T16:04:42.480098Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-30T16:04:55.044Z"}}], "cna": {"affected": [{"vendor": "Jenkins project", "product": "Jenkins OSF Builder Suite : : XML Linter Plugin", "versions": [{"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "1.0.2"}, {"status": "unknown", "version": "next of 1.0.2", "lessThan": "unspecified", "versionType": "custom"}]}], "references": [{"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2937"}, {"url": "http://www.openwall.com/lists/oss-security/2022/11/15/4", "name": "[oss-security] 20221115 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list"]}], "descriptions": [{"lang": "en", "value": "Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T14:26:29.291Z"}}}, "cveMetadata": {"cveId": "CVE-2022-45397", "state": "PUBLISHED", "dateUpdated": "2025-04-30T16:04:59.949Z", "dateReserved": "2022-11-14T00:00:00.000Z", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "datePublished": "2022-11-15T00:00:00.000Z", "assignerShortName": "jenkins"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:osf_builder_suite_\\:\\:_xml_linter:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "1E155FEC-E48E-41C0-AD71-2DED848352E8", "versionEndIncluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks."}, {"lang": "es", "value": "Jenkins OSF Builder Suite :: XML Linter Plugin 1.0.2 y versiones anteriores no configuran su analizador XML para evitar ataques de entidades externas XML (XXE)."}], "id": "CVE-2022-45397", "lastModified": "2025-04-30T16:15:32.080", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-11-15T20:15:14.190", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/11/15/4"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2937"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/11/15/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2937"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-611"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}