Miggo Logo

CVE-2018-1000010: XXE vulnerability in Jenkins DRY Plugin

8.8

CVSS Score
3.0

Basic Information

EPSS Score
0.21424%
Published
5/14/2022
Updated
1/30/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jvnet.hudson.plugins:drymaven<= 2.492.50

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure XML parsing in the DRY Plugin. While no patch code is provided, the advisory explicitly states the fix involved disabling external entity resolution - a mitigation that would be applied in the XML parsing method. Jenkins static analysis plugins typically handle parsing in a Parser class (e.g., DryParser) with a parse() method. The function signature follows Java XML parsing patterns observed in similar Jenkins plugin vulnerabilities (CWE-611).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *RY Plu*in *.** *n* **rli*r pro**ss*s XML *xt*rn*l *ntiti*s in *il*s it p*rs*s *s p*rt o* t** *uil* pro**ss, *llowin* *tt**k*rs wit* us*r p*rmissions in J*nkins to *xtr**t s**r*ts *rom t** J*nkins m*st*r, p*r*orm s*rv*r-si** r*qu*st *or**ry,

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rsin* in t** *RY Plu*in. W*il* no p*t** *o** is provi***, t** **visory *xpli*itly st*t*s t** *ix involv** *is**lin* *xt*rn*l *ntity r*solution - * miti**tion t**t woul* ** *ppli** in t** XML p*rsin* m*t*o*.