{"url":"http://public2.vulnerablecode.io/api/packages/78693?format=json","purl":"pkg:maven/org.jvnet.hudson.plugins/storable-configs-plugin@1.0","type":"maven","namespace":"org.jvnet.hudson.plugins","name":"storable-configs-plugin","version":"1.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53621?format=json","vulnerability_id":"VCID-kzy6-wzcj-a7eg","summary":"Path Traversal\nJenkins Storable Configs Plugin does not restrict the user-specified file name, allowing attackers with Job/Configure permission to replace any other '.xml' file on the Jenkins controller with a job `config.xml` file's content.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-2278","reference_id":"","reference_type":"","scores":[{"value":"0.0101","scoring_system":"epss","scoring_elements":"0.77458","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0101","scoring_system":"epss","scoring_elements":"0.7748","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0101","scoring_system":"epss","scoring_elements":"0.77442","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0101","scoring_system":"epss","scoring_elements":"0.77469","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0101","scoring_system":"epss","scoring_elements":"0.77479","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-2278"},{"reference_url":"https://github.com/jenkinsci/storable-configs-plugin","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/storable-configs-plugin"},{"reference_url":"https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1968%20(2)","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1968%20(2)"},{"reference_url":"http://www.openwall.com/lists/oss-security/2020/09/16/3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2020/09/16/3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-2278","reference_id":"CVE-2020-2278","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-2278"},{"reference_url":"https://github.com/advisories/GHSA-qv6q-4jwx-7j5c","reference_id":"GHSA-qv6q-4jwx-7j5c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qv6q-4jwx-7j5c"}],"fixed_packages":[],"aliases":["CVE-2020-2278","GHSA-qv6q-4jwx-7j5c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kzy6-wzcj-a7eg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/111475?format=json","vulnerability_id":"VCID-q3gm-r1k9-nfed","summary":"Cross Site Request Forgery in Jenkins Storable Configs Plugin\nA cross-site request forgery (CSRF) vulnerability in Jenkins Storable Configs Plugin 1.0 and earlier allows attackers to have Jenkins parse a local XML file (e.g., archived artifacts) that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-30972","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11093","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11112","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.112","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11194","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.1116","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.1108","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-30972"},{"reference_url":"https://github.com/jenkinsci/storable-configs-plugin","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/storable-configs-plugin"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-30972","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-30972"},{"reference_url":"https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-1969","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-1969"},{"reference_url":"https://github.com/advisories/GHSA-rr2r-g6xm-58xj","reference_id":"GHSA-rr2r-g6xm-58xj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rr2r-g6xm-58xj"}],"fixed_packages":[],"aliases":["CVE-2022-30972","GHSA-rr2r-g6xm-58xj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q3gm-r1k9-nfed"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53633?format=json","vulnerability_id":"VCID-vhke-avrz-yqfv","summary":"Path Traversal\nJenkins Storable Configs Plugin allows users with Job/Read permission to read arbitrary files on the Jenkins controller.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-2277","reference_id":"","reference_type":"","scores":[{"value":"0.01482","scoring_system":"epss","scoring_elements":"0.81355","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01482","scoring_system":"epss","scoring_elements":"0.81372","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01482","scoring_system":"epss","scoring_elements":"0.81332","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01482","scoring_system":"epss","scoring_elements":"0.81359","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01482","scoring_system":"epss","scoring_elements":"0.81362","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01482","scoring_system":"epss","scoring_elements":"0.8136","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-2277"},{"reference_url":"https://github.com/jenkinsci/storable-configs-plugin","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/storable-configs-plugin"},{"reference_url":"https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1968%20(1)","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1968%20(1)"},{"reference_url":"http://www.openwall.com/lists/oss-security/2020/09/16/3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2020/09/16/3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-2277","reference_id":"CVE-2020-2277","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-2277"},{"reference_url":"https://github.com/advisories/GHSA-85wg-cg5p-m76p","reference_id":"GHSA-85wg-cg5p-m76p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-85wg-cg5p-m76p"}],"fixed_packages":[],"aliases":["CVE-2020-2277","GHSA-85wg-cg5p-m76p"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vhke-avrz-yqfv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/111271?format=json","vulnerability_id":"VCID-zusx-wejk-5kdm","summary":"XML External Entity Reference in Jenkins Storable Configs Plugin\nJenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers with Item/Configure permission to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-30971","reference_id":"","reference_type":"","scores":[{"value":"0.0011","scoring_system":"epss","scoring_elements":"0.28919","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0011","scoring_system":"epss","scoring_elements":"0.28942","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0011","scoring_system":"epss","scoring_elements":"0.29012","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0011","scoring_system":"epss","scoring_elements":"0.28978","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0011","scoring_system":"epss","scoring_elements":"0.28908","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-30971"},{"reference_url":"https://github.com/jenkinsci/storable-configs-plugin","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jenkinsci/storable-configs-plugin"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-30971","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-30971"},{"reference_url":"https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-1969","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-1969"},{"reference_url":"https://github.com/advisories/GHSA-wqmp-2p5r-rhfv","reference_id":"GHSA-wqmp-2p5r-rhfv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wqmp-2p5r-rhfv"}],"fixed_packages":[],"aliases":["CVE-2022-30971","GHSA-wqmp-2p5r-rhfv"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zusx-wejk-5kdm"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.jvnet.hudson.plugins/storable-configs-plugin@1.0"}