Common Weakness Enumeration

CWE-652

Allowed

Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')

Abstraction: Base · Status: Incomplete

The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

2 vulnerabilities reference this CWE, most recent first.

GHSA-48G9-H7G5-8PW2

Vulnerability from github – Published: 2023-04-02 21:30 – Updated: 2025-02-25 21:41
VLAI
Summary
Jenkins Convert To Pipeline Plugin vulnerable to cross-site request forgery
Details

Convert To Pipeline Plugin 1.0 and earlier does not require POST requests for the HTTP endpoint converting a Freestyle project to Pipeline, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to create a Pipeline based on a Freestyle project. Combined with SECURITY-2966/CVE-2023-28677, this can result in the execution of unsandboxed Pipeline scripts.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:convert-to-pipeline"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28676"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352",
      "CWE-652"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-04T17:37:11Z",
    "nvd_published_at": "2023-04-02T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Convert To Pipeline Plugin 1.0 and earlier does not require POST requests for the HTTP endpoint converting a Freestyle project to Pipeline, resulting in a cross-site request forgery (CSRF) vulnerability.\n\nThis vulnerability allows attackers to create a Pipeline based on a Freestyle project. Combined with [SECURITY-2966](https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-2966)/CVE-2023-28677, this can result in the execution of unsandboxed Pipeline scripts.",
  "id": "GHSA-48g9-h7g5-8pw2",
  "modified": "2025-02-25T21:41:03Z",
  "published": "2023-04-02T21:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28676"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/octoperf-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-2963"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Convert To Pipeline Plugin vulnerable to cross-site request forgery"
}

GHSA-P4XX-W6FR-C4W9

Vulnerability from github – Published: 2023-02-02 06:30 – Updated: 2025-03-26 19:49
VLAI
Summary
Clockwork Web contains a Cross-Site Request Forgery Vulnerability with Rails < 5.2
Details

Clockwork Web before 0.1.2, when used with Rails before 5.2 is used, allows Cross-Site Request Forgery (CSRF). A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, actions include enabling and disabling jobs. All users running an affected release on Rails < 5.2 should upgrade immediately.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "clockwork_web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-25015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352",
      "CWE-652"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-02T23:07:04Z",
    "nvd_published_at": "2023-02-02T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Clockwork Web before 0.1.2, when used with Rails before 5.2 is used, allows Cross-Site Request Forgery (CSRF). A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, actions include enabling and disabling jobs. All users running an affected release on Rails \u003c 5.2 should upgrade immediately.",
  "id": "GHSA-p4xx-w6fr-c4w9",
  "modified": "2025-03-26T19:49:06Z",
  "published": "2023-02-02T06:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25015"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ankane/clockwork_web/issues/4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ankane/clockwork_web/commit/ec2896503ee231588547c2fad4cb93a94e78f857"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ankane/clockwork_web"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ankane/clockwork_web/compare/v0.1.1...v0.1.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/clockwork_web/CVE-2023-25015.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Clockwork Web contains a Cross-Site Request Forgery Vulnerability with Rails \u003c 5.2"
}

Mitigation
Implementation

Use parameterized queries. This will help ensure separation between data plane and control plane.

Mitigation
Implementation

Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XQL queries is safe in that context.

No CAPEC attack patterns related to this CWE.