CVE-2024-4184

high

Description

High OpenText Application Automation Tools Plugin 24.1.0 and earlier does not configure its XML parsers to prevent XML external entity (XXE) attacks. This allows attackers able to control the input files for OpenText Application Automation Tools Plugin build steps and post-build steps to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. OpenText Application Automation Tools Plugin 24.1.1-beta disables external entity resolution for its XML parsers. The fix is currently available only as a beta release. Beta releases will not appear in the regular update center but can be found in the experimental update center. For more information on how to install a beta release, see this documentation.

Details

Source: Mitre, NVD

Published: 2024-05-24

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:P/A:N

Severity: High

CVSS v3

Base Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N