CVE-2018-1000056: XEE
First published: Fri Feb 09 2018(Updated: )
Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins | <=1.23 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-1000056?
CVE-2018-1000056 is considered a critical vulnerability due to its potential for data exposure and denial-of-service attacks.
How do I fix CVE-2018-1000056?
To fix CVE-2018-1000056, you should upgrade the Jenkins JUnit Plugin to version 1.24 or later.
What types of attacks can CVE-2018-1000056 facilitate?
CVE-2018-1000056 can facilitate attacks such as secret extraction, server-side request forgery, and denial-of-service.
Who is affected by CVE-2018-1000056?
Any Jenkins user with permission to run builds using the JUnit Plugin version 1.23 or earlier is affected by CVE-2018-1000056.
What is the impact of exploiting CVE-2018-1000056?
Exploiting CVE-2018-1000056 can lead to the extraction of sensitive information from the Jenkins master and possible disruption of services.
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/severity
- agent/references
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/jenkins
- canonical/jenkins
- version/jenkins/1.23