Description

Jenkins PMD Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.

Remediation

References

http://www.securityfocus.com/bid/102844

https://jenkins.io/security/advisory/2018-01-22/

Related Vulnerabilities

CVE-2022-31108 Vulnerability in maven package org.webjars.bower:mermaid

CVE-2019-10280 Vulnerability in maven package org.jenkins-ci.plugins:assembla-auth

CVE-2020-2176 Vulnerability in maven package it.infuse.jenkins:usemango-runner

CVE-2022-25897 Vulnerability in maven package org.eclipse.milo:sdk-server

CVE-2022-23082 Vulnerability in maven package io.whitesource:curekit

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry Vendor Advisory