CVE-2018-15531
published 2018-09-26CVE-2018-15531: JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.
PriorityP356critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
27.87%
97.9th percentile
JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.
Affected
34 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| javamelody_project | javamelody | < 1.74.0 | 1.74.0 |
| jenkins | arachni_scanner_plugin | — | — |
| jenkins | argus_notifier_plugin | — | — |
| jenkins | artifactory_plugin | — | — |
| jenkins | chatter_notifier_plugin | — | — |
| jenkins | config_file_provider_plugin | — | — |
| jenkins | credentials_plugin | — | — |
| jenkins | crowd_2_integration_plugin | — | — |
| jenkins | dimensions_plugin | — | — |
| jenkins | email_extension_template_plugin | — | — |
| jenkins | git_changelog_plugin | — | — |
| jenkins | hipchat_plugin | — | — |
| jenkins | ids_in_argus_notifier_plugin | — | — |
| jenkins | ids_in_chatter_notifier_plugin | — | — |
| jenkins | ids_in_hipchat_plugin | — | — |
| jenkins | ids_in_mesos_plugin | — | — |
| jenkins | ids_to_allow_administrators_configuring_the_plugin | — | — |
| jenkins | ids_to_allow_users_configuring_the_plugin | — | — |
| jenkins | javamelody_library_bundled_in_monitoring_plugin | — | — |
| jenkins | jira_plugin | — | — |
| jenkins | job_config_history_plugin | — | — |
| jenkins | job_configuration_history_plugin | — | — |
| jenkins | junit_plugin | — | — |
| jenkins | mesos_cloud_plugin | — | — |
| jenkins | mesos_plugin | — | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
JavaMelody has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.
osv·2018-10-17
CVE-2018-15531 [CRITICAL] JavaMelody has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.
JavaMelody has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.
JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.
GHSA
JavaMelody has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.
ghsa·2018-10-17
CVE-2018-15531 [CRITICAL] CWE-611 JavaMelody has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.
JavaMelody has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.
JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.
Jenkins
Jenkins Security Advisory 2018-09-25
vendor_jenkins·2018-09-25·CVSS 6.5
CVE-2017-12197 [MEDIUM] Jenkins Security Advisory 2018-09-25
Title: Jenkins Security Advisory 2018-09-25
Jenkins Security Advisory 2018-09-25
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Arachni Scanner
Plugin
Argus Notifier
Plugin
Artifactory
Plugin
Chatter Notifier
Plugin
Config File Provider
Plugin
crowd2
Plugin
Dimensions
Plugin
Email Extensio
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2018/09/25/3https://github.com/javamelody/javamelody/commit/ef111822562d0b9365bd3e671a75b65bd0613353https://github.com/javamelody/javamelody/wiki/ReleaseNoteshttps://jenkins.io/security/advisory/2018-09-25/http://www.openwall.com/lists/oss-security/2018/09/25/3https://github.com/javamelody/javamelody/commit/ef111822562d0b9365bd3e671a75b65bd0613353https://github.com/javamelody/javamelody/wiki/ReleaseNoteshttps://jenkins.io/security/advisory/2018-09-25/
2018-09-26
Published