Miggo Logo
Miggo Vulnerability Database
CVE-2015-5319

CVE-2015-5319:
Jenkins has XML External Entity (XXE) Vulnerability in Job Configuration via CLI

5

CVSS Score

Basic Information

CVE ID
CVE-2015-5319
GHSA ID
GHSA-3j9c-cp7m-8w8g
EPSS Score
0.46141%
CWE
CWE-611
Published
5/13/2022
Updated
3/13/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven>= 1.626, < 1.6381.638
org.jenkins-ci.main:jenkins-coremaven< 1.625.21.625.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from unsafe XML handling in createProjectFromXML. The pre-patch code used IOUtils.copy() to write raw XML input to disk, which was later parsed without XXE protections. The fix replaced this with XMLUtils.safeTransform() which explicitly disables external entities. The added test case in ItemGroupMixInTest.java demonstrates how XXE payloads would be blocked post-fix. The commit message '[SECURITY-173] use XMlUtils safe transformation' directly correlates to addressing this vulnerability in this function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

XML *xt*rn*l *ntity (XX*) vuln*r**ility in t** *r**t*-jo* *LI *omm*n* in J*nkins ***or* *.*** *n* LTS ***or* *.***.* *llows r*mot* *tt**k*rs to r*** *r*itr*ry *il*s vi* * *r**t** jo* *on*i*ur*tion t**t is t**n us** in *n "XML-*w*r* tool," *s **monstr

Reasoning

T** vuln*r**ility st*mm** *rom uns*** XML **n*lin* in *r**t*Proj**t*romXML. T** pr*-p*t** *o** us** IOUtils.*opy() to writ* r*w XML input to *isk, w*i** w*s l*t*r p*rs** wit*out XX* prot**tions. T** *ix r*pl**** t*is wit* XMLUtils.s***Tr*ns*orm() w*i