{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2018-02-05T00:00:00", "datePublic": "2018-02-05T00:00:00", "descriptions": [{"lang": "en", "value": "Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-02-09T22:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://jenkins.io/security/advisory/2018-02-05/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2/5/2018 0:00:00", "ID": "CVE-2018-1000056", "REQUESTER": "ml@beckweb.net", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://jenkins.io/security/advisory/2018-02-05/", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2018-02-05/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T12:33:49.029Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jenkins.io/security/advisory/2018-02-05/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000056", "datePublished": "2018-02-09T23:00:00", "dateReserved": "2018-02-05T00:00:00", "dateUpdated": "2024-08-05T12:33:49.029Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:junit:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "4E6BDFEF-84FF-4FEE-B89E-B6C9178E291C", "versionEndIncluding": "1.23", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks."}, {"lang": "es", "value": "Jenkins JUnit Plugin, en versiones 1.23 y anteriores, procesa entidades externas XML en archivos que analiza como parte del proceso de construcci\u00f3n. Esto permite que atacantes con permisos de usuario en Jenkins extraigan secretos del directorio de inicio del servidor maestro de Jenkins, realicen Server-Side Request Forgery o ataques de denegaci\u00f3n de servicio (DoS)."}], "id": "CVE-2018-1000056", "lastModified": "2018-03-06T15:31:09.113", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-09T23:29:02.027", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2018-02-05/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}, {"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "jenkins-plugin-junit: XML External Entity (XXE) via a maliciously crafted file", "id": "1542723", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1542723"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-611", "details": ["Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks."], "name": "CVE-2018-1000056", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3", "fix_state": "Will not fix", "package_name": "jenkins-plugin-junit", "product_name": "Red Hat OpenShift Enterprise 3"}], "public_date": "2018-02-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-1000056\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1000056"], "threat_severity": "Moderate", "upstream_fix": "jenkins-plugin-junit 1.24"}