CVE-2015-1811: XML external entity (XXE) vulnerability in Jenkins
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.32749%
CWE
-
Published
5/24/2022
Updated
1/30/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.main:jenkins-core | maven | >= 1.597, < 1.600 | 1.600 |
org.jenkins-ci.main:jenkins-core | maven | < 1.596.1 | 1.596.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The XXE vulnerability (CWE-611) indicates insecure XML parsing. Jenkins' advisory references SECURITY-167 involving external entity processing. In Java, this typically occurs when DocumentBuilderFactory
/SAXParserFactory
isn't properly secured. The function responsible for initializing the XML parser (like XStream2.createDefaultDocumentBuilderFactory
) would be vulnerable if it didn't disable DTDs/external entities. While the exact patch isn't shown, this pattern matches standard XXE fixes and Jenkins' Java-based XML processing architecture.