{"containers": {"cna": {"affected": [{"product": "Jenkins", "vendor": "CloudBees", "versions": [{"status": "affected", "version": "before 1.600"}]}, {"product": "Jenkins LTS", "vendor": "CloudBees", "versions": [{"status": "affected", "version": "before 1.596.1"}]}], "datePublic": "2015-02-27T00:00:00", "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query."}], "problemTypes": [{"descriptions": [{"description": "Other", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-01-15T18:05:30", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1205625"}, {"tags": ["x_refsource_MISC"], "url": "https://jenkins.io/security/advisory/2015-02-27/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2015-1809", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins", "version": {"version_data": [{"version_value": "before 1.600"}]}}, {"product_name": "Jenkins LTS", "version": {"version_data": [{"version_value": "before 1.596.1"}]}}]}, "vendor_name": "CloudBees"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Other"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1205625", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1205625"}, {"name": "https://jenkins.io/security/advisory/2015-02-27/", "refsource": "MISC", "url": "https://jenkins.io/security/advisory/2015-02-27/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T04:54:16.372Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1205625"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jenkins.io/security/advisory/2015-02-27/"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-1809", "datePublished": "2020-01-15T18:05:30", "dateReserved": "2015-02-17T00:00:00", "dateUpdated": "2024-08-06T04:54:16.372Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:cloudbees:*:*:*:*:lts:jenkins:*:*", "matchCriteriaId": "C84374AF-1A74-442D-B5DB-AF0A9AC70F85", "versionEndExcluding": "1.596.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:cloudbees:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "000A7DB6-8E3A-4936-A2F2-DFC6A7B5E07E", "versionEndExcluding": "1.600", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query."}, {"lang": "es", "value": "Una vulnerabilidad de tipo XML external entity (XXE) en CloudBees Jenkins versiones anteriores a 1.600 y LTS versiones anteriores a 1.596.1, permite a atacantes remotos leer archivos XML arbitrarios por medio de una consulta XPath."}], "id": "CVE-2015-1809", "lastModified": "2024-11-21T02:26:11.460", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-15T19:15:12.457", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1205625"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2015-02-27/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1205625"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2015-02-27/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "jenkins-0:1.609.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-broker-0:1.16.2.10-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-broker-util-0:1.36.2.2-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-cartridge-diy-0:1.26.1.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-cartridge-haproxy-0:1.30.1.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-cartridge-jbosseap-0:2.26.3.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-cartridge-jbossews-0:1.34.3.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-cartridge-jenkins-0:1.28.2.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-cartridge-mock-0:1.22.1.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-cartridge-nodejs-0:1.33.1.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-cartridge-perl-0:1.30.1.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-cartridge-php-0:1.34.1.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-cartridge-python-0:1.33.3.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-cartridge-ruby-0:1.32.1.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-logshifter-0:1.10.1.2-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-node-util-0:1.37.2.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "rhc-0:1.37.1.2-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "rubygem-openshift-origin-console-0:1.35.2.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "rubygem-openshift-origin-controller-0:1.37.3.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "rubygem-openshift-origin-frontend-apache-vhost-0:0.12.4.2-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "rubygem-openshift-origin-gear-placement-0:0.0.2.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "rubygem-openshift-origin-msg-broker-mcollective-0:1.35.3.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "rubygem-openshift-origin-node-0:1.37.1.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}, {"advisory": "RHSA-2015:1844", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "rubygem-openshift-origin-routing-daemon-0:0.25.1.2-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2015-09-30T00:00:00Z"}], "bugzilla": {"description": "jenkins: external entity injection via XPath (SECURITY-165)", "id": "1205625", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1205625"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "verified"}, "cwe": "CWE-611", "details": ["XML external entity (XXE) vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote attackers to read arbitrary XML files via an XPath query.", "It was found that Jenkins' XPath handling allowed XML External Entity (XXE) expansion. A remote attacker with read access could use this flaw to read arbitrary XML files on the Jenkins server."], "name": "CVE-2015-1809", "public_date": "2015-02-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-1809\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-1809\nhttps://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27"], "threat_severity": "Moderate", "upstream_fix": "Jenkins 1.600, Jenkins 1.596.1"}