Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used. This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways. Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed. Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide".

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities:

  - Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and     1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation,     allowing attackers with Overall/Read permission to check for the existence of files on the controller file     system. (CVE-2024-52549)

  - Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not     check whether the main (Jenkinsfile) script for a rebuilt build is approved, allowing attackers with     Item/Build permission to rebuild a previous build whose (Jenkinsfile) script is no longer approved.
    (CVE-2024-52550)

  - Jenkins Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does not check whether the main     (Jenkinsfile) script used to restart a build from a specific stage is approved, allowing attackers with     Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved.
    (CVE-2024-52551)

  - Jenkins Authorize Project Plugin 1.7.2 and earlier evaluates a string containing the job name with     JavaScript on the Authorization view, resulting in a stored cross-site scripting (XSS) vulnerability     exploitable by attackers with Item/Configure permission. (CVE-2024-52552)

  - Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the     previous session on login. (CVE-2024-52553)

  - Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection)     vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior     to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or     Apache Maven POMs - it will allow downloading external document type definitions and expand any entity     references contained therein when used. This can be used to exfiltrate data, access resources only the     machine running Ivy has access to or disturb the execution of Ivy in different ways. Starting with Ivy     2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow     DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing     Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more     lenient via newly introduced system properties where needed. Users of Ivy prior to version 2.5.2 can use     Java system properties to restrict processing of external DTDs, see the section about JAXP Properties for     External Access restrictions inside Oracle's Java API for XML Processing (JAXP) Security Guide.
    (CVE-2022-46751)

  - Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library     overrides as trusted, so that they're not executed in the Script Security sandbox, allowing attackers with     Item/Configure permission on a folder to configure a folder-scoped library override that runs without     sandbox protection. (CVE-2024-52554)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched.

  - apache-ivy: XML External Entity vulnerability (CVE-2022-46751)

Note that Nessus has not tested for this issue but has instead relied on the package manager's report that the package is installed.

The version of Oracle Business Intelligence Enterprise Edition (OAS) 6.4.0.0.0 installed on the remote host is affected by multiple vulnerabilities as referenced in the January 2024 CPU advisory, including the following:

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Analytics Server (Apache Solr)). The supported version that is affected is 6.4.0.0.0.     Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can     result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle     Business Intelligence Enterprise Edition. (CVE-2021-33813)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Visual Analyzer (Apache Ivy)). The supported version that is affected is 6.4.0.0.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise     Edition accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of     Oracle Business Intelligence Enterprise Edition. (CVE-2022-46751)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Pod Admin). Supported versions that are affected are 6.4.0.0.0 and 12.2.1.4.0. Easily     exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise     Oracle Business Intelligence Enterprise Edition. While the vulnerability is in Oracle Business     Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change).     Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle     Business Intelligence Enterprise Edition accessible data. (CVE-2024-20904)   Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:4367-1 advisory.

  - Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection)     vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior     to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or     Apache Maven POMs - it will allow downloading external document type definitions and expand any entity     references contained therein when used. This can be used to exfiltrate data, access resources only the     machine running Ivy has access to or disturb the execution of Ivy in different ways. Starting with Ivy     2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow     DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing     Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more     lenient via newly introduced system properties where needed. Users of Ivy prior to version 2.5.2 can use     Java system properties to restrict processing of external DTDs, see the section about JAXP Properties for     External Access restrictions inside Oracle's Java API for XML Processing (JAXP) Security Guide.
    (CVE-2022-46751)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of apache-ivy installed on the remote host is prior to 2.2.0-5.2. It is, therefore, affected by a vulnerability as referenced in the ALAS-2023-1863 advisory.

  - Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection)     vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior     to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or     Apache Maven POMs - it will allow downloading external document type definitions and expand any entity     references contained therein when used. This can be used to exfiltrate data, access resources only the     machine running Ivy has access to or disturb the execution of Ivy in different ways. Starting with Ivy     2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow     DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing     Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more     lenient via newly introduced system properties where needed. Users of Ivy prior to version 2.5.2 can use     Java system properties to restrict processing of external DTDs, see the section about JAXP Properties for     External Access restrictions inside Oracle's Java API for XML Processing (JAXP) Security Guide.
    (CVE-2022-46751)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of apache-ivy installed on the remote host is prior to 2.3.0-4. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2023-2302 advisory.

  - Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection)     vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior     to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or     Apache Maven POMs - it will allow downloading external document type definitions and expand any entity     references contained therein when used. This can be used to exfiltrate data, access resources only the     machine running Ivy has access to or disturb the execution of Ivy in different ways. Starting with Ivy     2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow     DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing     Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more     lenient via newly introduced system properties where needed. Users of Ivy prior to version 2.5.2 can use     Java system properties to restrict processing of external DTDs, see the section about JAXP Properties for     External Access restrictions inside Oracle's Java API for XML Processing (JAXP) Security Guide.
    (CVE-2022-46751)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2023-336 advisory.

  - Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection)     vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior     to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or     Apache Maven POMs - it will allow downloading external document type definitions and expand any entity     references contained therein when used. This can be used to exfiltrate data, access resources only the     machine running Ivy has access to or disturb the execution of Ivy in different ways. Starting with Ivy     2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow     DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing     Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more     lenient via newly introduced system properties where needed. Users of Ivy prior to version 2.5.2 can use     Java system properties to restrict processing of external DTDs, see the section about JAXP Properties for     External Access restrictions inside Oracle's Java API for XML Processing (JAXP) Security Guide.
    (CVE-2022-46751)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities:

  - Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict the 'name'     query parameter when rendering a history entry, allowing attackers to have Jenkins render a manipulated     configuration history that was not created by the plugin. (CVE-2023-41930)

  - Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp'     query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories     on the Jenkins controller file system as long as they contain a file called 'history.xml'.
    (CVE-2023-41932)

  - Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser     to prevent XML external entity (XXE) attacks. (CVE-2023-41933)

  - Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-     constant time comparison function when checking whether the provided and expected CSRF protection nonce     are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.
    (CVE-2023-41935)

  - Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking     whether the provided and expected token are equal, potentially allowing attackers to use statistical     methods to obtain a valid token. (CVE-2023-41936)

  - Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided     in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to     those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted     webhook payload. (CVE-2023-41937)

  - Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection)     vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior     to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or     Apache Maven POMs - it will allow downloading external document type definitions and expand any entity     references contained therein when used. This can be used to exfiltrate data, access resources only the     machine running Ivy has access to or disturb the execution of Ivy in different ways. Starting with Ivy     2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow     DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing     Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more     lenient via newly introduced system properties where needed. Users of Ivy prior to version 2.5.2 can use     Java system properties to restrict processing of external DTDs, see the section about JAXP Properties for     External Access restrictions inside Oracle's Java API for XML Processing (JAXP) Security Guide.
    (CVE-2022-46751)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Ivy Plugin 2.5 and earlier allows attackers     to delete disabled modules. (CVE-2023-41938)

  - Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are     enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage)     to access functionality they're no longer entitled to. (CVE-2023-41939)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and     earlier allows attackers to clear the SQS queue. (CVE-2023-41942)

  - Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not escape the queue name parameter passed     to a form validation URL, when rendering an error message, resulting in an HTML injection vulnerability.
    (CVE-2023-41944)

  - Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled,     resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions,     even if those permissions are disabled and should not be granted. (CVE-2023-41945)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows     attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and     names from Frugal Testing, if a valid credential corresponds to the attacker-specified username.
    (CVE-2023-41946)

  - A missing permission check in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers with     Overall/Read permission to connect to Frugal Testing using attacker-specified credentials.
    (CVE-2023-41947)

  - Path traversal allows exploiting XSS vulnerability in Job Configuration History Plugin (CVE-2023-41931)

  - Improper masking of credentials in Pipeline Maven Integration Plugin (CVE-2023-41934)

  - Stored XSS vulnerability in TAP Plugin (CVE-2023-41940)

  - Missing permission check in AWS CodeCommit Trigger Plugin allows enumerating credentials IDs     (CVE-2023-41941)

  - CSRF vulnerability and missing permission check in AWS CodeCommit Trigger Plugin (CVE-2023-41943)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
210929	Jenkins plugins Multiple Vulnerabilities (2024-11-13)	Nessus	CGI abuses	high
199240	RHEL 8 : apache-ivy (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
189734	Oracle Business Intelligence Enterprise Edition (OAS 6.4) (January 2024 CPU)	Nessus	Misc.	high
184802	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : apache-ivy (SUSE-SU-2023:4367-1)	Nessus	SuSE Local Security Checks	high
183846	Amazon Linux AMI : apache-ivy (ALAS-2023-1863)	Nessus	Amazon Linux Local Security Checks	high
183470	Amazon Linux 2 : apache-ivy (ALAS-2023-2302)	Nessus	Amazon Linux Local Security Checks	high
181136	Amazon Linux 2023 : apache-ivy, apache-ivy-javadoc (ALAS2023-2023-336)	Nessus	Amazon Linux Local Security Checks	high
180576	Jenkins plugins Multiple Vulnerabilities (2023-09-06)	Nessus	CGI abuses	high

Detections

Analytics

CVE-2022-46751

high

Tenable Plugins

high

high

high

high

high

high

high

high