Miggo Logo

CVE-2015-1811: XML external entity (XXE) vulnerability in Jenkins

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.32749%
CWE
-
Published
5/24/2022
Updated
1/30/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven>= 1.597, < 1.6001.600
org.jenkins-ci.main:jenkins-coremaven< 1.596.11.596.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The XXE vulnerability (CWE-611) indicates insecure XML parsing. Jenkins' advisory references SECURITY-167 involving external entity processing. In Java, this typically occurs when DocumentBuilderFactory/SAXParserFactory isn't properly secured. The function responsible for initializing the XML parser (like XStream2.createDefaultDocumentBuilderFactory) would be vulnerable if it didn't disable DTDs/external entities. While the exact patch isn't shown, this pattern matches standard XXE fixes and Jenkins' Java-based XML processing architecture.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

XML *xt*rn*l *ntity (XX*) vuln*r**ility in J*nkins ***or* *.*** *n* LTS ***or* *.***.* *llows r*mot* *tt**k*rs to r*** *r*itr*ry XML *il*s vi* * *r**t** XML *o*um*nt.

Reasoning

T** XX* vuln*r**ility (*W*-***) in*i**t*s ins**ur* XML p*rsin*. J*nkins' **visory r***r*n**s S**URITY-*** involvin* *xt*rn*l *ntity pro**ssin*. In J*v*, t*is typi**lly o**urs w**n `*o*um*nt*uil**r***tory`/`S*XP*rs*r***tory` isn't prop*rly s**ur**. T*