CVE-2018-1000008XML External Entity (XXE) Injection in Jenkins PMD

CWE-611XML External Entity (XXE) Injection4 documents4 sources
Severity
8.8HIGHNVD
EPSS
0.1%
top 77.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Jenkins PMDJenkins ANT PluginJenkins Nodes AND Processes Plugin+2 more
Timeline
PublishedJan 23
Latest updateMay 14

Description

Jenkins PMD Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

NVDjenkins/pmd3.49

🔴Vulnerability Details

2
GHSA
XXE vulnerability in Jenkins PMD Plugin2022-05-14
OSV
XXE vulnerability in Jenkins PMD Plugin2022-05-14

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2018-01-222018-01-22