OWASP Dependency-Check plugin warning - SECURITY-2488 / CVE-2021-43577

Ian_W · December 5, 2021, 12:27am

The Plugins site and within the pluginManager Available page are reporting for OWASP Dependency-Check:

The current version of this plugin contains a vulnerability:
XXE vulnerability

OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks

The GitHub site indicates there was a new release ( 5.1.2 ) yesterday which incorporates: PR #41: CVE 2021 43577.

As the plugin is presently up for adoption, I am grateful to kudos-dude for merging the fix and Weston Wieser for cutting the new release.

Unfortunately, there does not seem be an actual changelog for this plugin, so it’s hard to tell what’s changed release by release. Can someone confirm the release does address the CVE and if so, what was missed to remove the “The current version of this plugin contains a vulnerability” warning from the plugins site.

Is there merely a delay or is manual intervention required due to the lack of changelog or the release being merely a tag and not a “GitHub release” ?

halkeye · December 5, 2021, 1:04am

@kudos-dude has had a lot of little issues getting the plugin released
Gathering the comments made on https://groups.google.com/g/jenkinsci-dev/c/qFIOBwWCLyM it should have been addressed. I’ll ping them on the mailing list.

Topic		Replies	Views
Apache Commons Text vulnerability CVE-2022-42889 Ask a question	3	2081	October 21, 2022
Jenkins Plugins Security Warnings Using Jenkins	3	1630	April 28, 2022
How to check for plugin dependencies Using Jenkins	2	3318	December 19, 2021
Plugin site showing old version of README Contributing	3	224	April 4, 2022
Jenkins project Confluence instance attacked Blog & News blog	8	1014	November 3, 2021

OWASP Dependency-Check plugin warning - SECURITY-2488 / CVE-2021-43577

Related Topics