Package Instance

XML External Entity Reference vulnerability in Jenkins Config File Provider Plugin
Jenkins Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Jenkins Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser.

Withdrawn Advisory: Infinite loop in xz
### Withdrawn Advisory
This advisory has been withdrawn because alerts cannot be issued for the Go standard library at this time.

### Original Description
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.

CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files
Jenkins Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID.

This is due to an incomplete fix of [SECURITY-938](https://www.jenkins.io/security/advisory/2018-09-25/#SECURITY-938).

Jenkins Config File Provider Plugin 3.7.1 requires POST requests for the affected HTTP endpoint.

Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs
Jenkins Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate configuration file IDs.

An enumeration of configuration file IDs in Jenkins Config File Provider Plugin 3.7.1 requires the appropriate permissions.

Incorrect permission checks in Jenkins Config File Provider Plugin allow enumerating credentials IDs
Jenkins Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints.

This allows attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of system-scoped credentials IDs in Jenkins Config File Provider Plugin 3.7.1 requires Overall/Administer permission.