CVE-2020-2324
Description
Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins CVS Plugin 2.16 and earlier is vulnerable to XXE attacks, allowing agents to extract secrets or perform SSRF.
The Jenkins CVS Plugin up to version 2.16 fails to disable XML external entity (XXE) processing when parsing changelog files. This is a classic XXE vulnerability where the XML parser is not configured to prevent external entity resolution [2].
An attacker must be able to control an agent process to submit a crafted changelog file to Jenkins. No additional authentication is required beyond agent connectivity, making this an agent-side attack vector [2].
Successful exploitation allows an attacker to extract secrets from the Jenkins controller (e.g., credentials, tokens) or perform server-side request forgery (SSRF) from the controller's network perspective [2].
The vulnerability is fixed in CVS Plugin version 2.17, which disables external entity resolution for the XML parser. Users are advised to upgrade immediately [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:cvsMaven | < 2.17 | 2.17 |
Affected products
3- Range: <=2.16
- Range: unspecified
Patches
11 file changed · +20 −2
src/main/java/hudson/scm/CVSChangeLogSet.java+20 −2 modified@@ -29,7 +29,9 @@ import hudson.scm.CVSChangeLogSet.CVSChangeLog; import hudson.util.Digester2; import hudson.util.IOException2; +import org.xml.sax.SAXException; +import javax.xml.parsers.ParserConfigurationException; import java.io.FileOutputStream; import java.io.IOException; import java.io.PrintStream; @@ -116,9 +118,25 @@ public static CVSChangeLogSet parse(final Run<?, ?> build, RepositoryBrowser<?> } private static ArrayList<CVSChangeLog> parseFile(final java.io.File f) - throws IOException2 { - Digester digester = new Digester2(); + throws IOException2, SAXException { + + Digester digester = new Digester2(); + + digester.setXIncludeAware(false); + + if (!Boolean.getBoolean(CVSChangeLogParser.class.getName() + ".UNSAFE")) { + try { + digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + digester.setFeature("http://xml.org/sax/features/external-general-entities", false); + digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + digester.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + } + catch (ParserConfigurationException ex) { + throw new SAXException("Failed to securely configure CVS changelog parser", ex); + } + } ArrayList<CVSChangeLog> r = new ArrayList<CVSChangeLog>(); + digester.push(r); digester.addObjectCreate("*/entry", CVSChangeLog.class);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-g9hg-x9c9-7xgrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2324ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/12/03/2ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/cvs-plugin/commit/ff121443b282c8dbd6a5ee4841f152f78e4a5954ghsaWEB
- www.jenkins.io/security/advisory/2020-12-03/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-12-03Jenkins Security Advisories · Dec 3, 2020