CVE-2018-1000011

Jenkins FindBugs Plugin 4.71 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.

Published: Jan 23, 2018
Updated: May 9, 2024
CVE: CVE-2018-1000011
GHSA: GHSA-pr9h-g7p7-rrqh
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-611

OWASP TOP 10:

A4 - XML External Entities (XXE)

Affected Software
References

Software	From	Fixed in
jenkins / findbugs	-	4.71.x
org.jvnet.hudson.plugins.findbugs / library	-	4.7.1.x

https://jenkins.io/security/advisory/2018-01-22/

Vulnerability Database

CVE-2018-1000011