CVE-2015-5319

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Published Bysecalert@redhat.com

Published DateNov 25, 2015, 20:59

Affected Versions(2)

org.jenkins-ci.main:jenkins-core(Maven)

Introduced1.626

Fixed1.638

LimitN/A

org.jenkins-ci.main:jenkins-core(Maven)

Introduced0

Fixed1.625.2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.jenkins-ci.main:jenkins-core(Maven)	1.626	1.638	N/A
org.jenkins-ci.main:jenkins-core(Maven)	0	1.625.2	N/A

Weakness Type (CWE):NVD-CWE-Other

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE

References

Weakness Type (CWE):NVD-CWE-Other

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE