8.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1000054

GHSA ID

GHSA-c4mp-h3m2-h5mc

EPSS Score

0.21424%

CWE

CWE-611

Published

5/14/2022

Updated

2/2/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-1000054

CVE-2018-1000054: Jenkins CCM Plugin vulnerable to Improper Restriction of XML External Entity Reference

Jenkins CCM Plugin 3.1 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.

(GitHub Advisory)

8.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1000054

GHSA ID

GHSA-c4mp-h3m2-h5mc

EPSS Score

0.21424%

CWE

CWE-611

Published

5/14/2022

Updated

2/2/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jvnet.hudson.plugins:ccm	maven	< 3.2	3.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure XML parsing in the CCM Plugin. The advisory explicitly states the plugin processes XML files with external entity resolution enabled. While no exact code is provided, XXE vulnerabilities in Java typically occur in XML parsing functions using DocumentBuilder/SAXParser without disabling DTDs (via features like XMLConstants.FEATURE_SECURE_PROCESSING). The CcmParser class is the logical location for XML processing in a CCM report analysis plugin, and the patched version (3.2) likely added secure parser configuration here. This matches the CWE-611 pattern and Jenkins' own mitigation description ('external entity resolution has been disabled').

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins **M Plu*in *.* *n* **rli*r pro**ss*s XML *xt*rn*l *ntiti*s in *il*s it p*rs*s *s p*rt o* t** *uil* pro**ss, *llowin* *tt**k*rs wit* us*r p*rmissions in J*nkins to *xtr**t s**r*ts *rom t** J*nkins m*st*r, p*r*orm s*rv*r-si** r*qu*st *or**ry, o

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rsin* in t** **M Plu*in. T** **visory *xpli*itly st*t*s t** plu*in pro**ss*s XML *il*s wit* *xt*rn*l *ntity r*solution *n**l**. W*il* no *x**t *o** is provi***, XX* vuln*r**iliti*s in J*v* typi**lly o**ur i

8.3

Basic Information

Concerned about an active attack path?

CVE-2018-1000054: Jenkins CCM Plugin vulnerable to Improper Restriction of XML External Entity Reference

8.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI