GHSA-jfg6-4gx3-3v7w

Опубликовано: 29 окт. 2025

Источник: github

Github: Прошло ревью

CVSS3: 7.1

Описание

Jenkins JDepend Plugin vulnerable to XML external entity attacks

Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to configure input files for the "Report JDepend" step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:jdepend

maven

Затронутые версииВерсия исправления

<= 1.3.1

Отсутствует

EPSS

Процентиль: 15%

0.00047

Низкий

7.1 High

CVSS3

CVE ID

CVE-2025-64134

Дефекты

CWE-611

Связанные уязвимости

CVE-2025-64134

CVSS3: 7.1

nvd

3 месяца назад

Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity (XXE) attacks.

EPSS

Процентиль: 15%

0.00047

Низкий

7.1 High

CVSS3

CVE ID

CVE-2025-64134

Дефекты

CWE-611