CVE-2018-1000054XML External Entity (XXE) Injection in Jenkins CCM

CWE-611XML External Entity (XXE) InjectionCWE-918Server-Side Request Forgery4 documents4 sources
Severity
8.3HIGHNVD
EPSS
0.1%
top 79.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Jenkins CCMJenkins Credentials Binding PluginJenkins Groovy Plugin+2 more
Timeline
PublishedFeb 9
Latest updateMay 14

Description

Jenkins CCM Plugin 3.1 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:HExploitability: 2.8 | Impact: 5.5

Affected Packages5 packages

NVDjenkins/ccm3.1

🔴Vulnerability Details

2
OSV
Jenkins CCM Plugin vulnerable to Improper Restriction of XML External Entity Reference2022-05-14
GHSA
Jenkins CCM Plugin vulnerable to Improper Restriction of XML External Entity Reference2022-05-14

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2018-02-052018-02-05