[org.jenkins-ci.plugins:websphere-deployer] XXE vulnerability in Jenkins WebSphere Deployer Plugin

WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. This could be exploited by a user with Job/Configure permissions to upload a specially crafted war file containing a WEB-INF/ibm-web-ext.xml which is parsed by the plugin.

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-2108
• https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1719
• http://www.openwall.com/lists/oss-security/2020/01/29/1
• https://github.com/advisories/GHSA-f5wx-w2f9-82gh