Description
Jenkins FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.
Remediation
References
https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1751
http://www.openwall.com/lists/oss-security/2020/02/12/3
Related Vulnerabilities
CVE-2020-2181 Vulnerability in maven package org.jenkins-ci.plugins:credentials-binding
CVE-2021-21621 Vulnerability in maven package org.jenkins-ci.plugins:support-core
CVE-2022-2596 Vulnerability in maven package org.webjars.npm:node-fetch
CVE-2017-3586 Vulnerability in maven package mysql:mysql-connector-java
CVE-2023-22465 Vulnerability in maven package org.http4s:http4s-core_3