nested-view-1.14.jar: 1 vulnerabilities (highest severity is: 7.1)

[mend-for-github-com[bot]]

Vulnerable Library - nested-view-1.14.jar

Library home page: http://wiki.jenkins-ci.org/display/JENKINS/Nested+View+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /build.gradle

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (nested-view version)	Remediation Possible**	Reachability
CVE-2021-21680	High	7.1	nested-view-1.14.jar	Direct	org.jenkins-ci.plugins:nested-view:1.21	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-21680

### Vulnerable Library - nested-view-1.14.jar

Library home page: http://wiki.jenkins-ci.org/display/JENKINS/Nested+View+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /build.gradle

Dependency Hierarchy: - :x: **nested-view-1.14.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.

Publish Date: 2021-08-31

URL: CVE-2021-21680

### CVSS 3 Score Details (7.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2470

Release Date: 2021-08-31

Fix Resolution: org.jenkins-ci.plugins:nested-view:1.21

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

---

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.