1. CVE-Search
  2. CVE-2018-1000008
ID CVE-2018-1000008
Summary Jenkins PMD Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
References
Vulnerable Configurations
  • cpe:2.3:a:jenkins:pmd:1.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.2:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.2:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.3:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.3:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.4:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.4:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.5:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.5:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.6:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.6:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.7:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.7:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.8:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.8:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.9:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.9:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.10:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.10:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.11:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.11:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.12:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.12:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.13:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.13:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.14:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.14:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.15:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.15:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.16:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.16:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.17:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.17:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.18:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.18:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.19:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.19:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:1.20:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:1.20:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:2.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:2.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:2.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:2.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:2.2:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:2.2:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:2.3:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:2.3:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:2.4:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:2.4:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:2.5:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:2.5:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:2.6:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:2.6:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:2.7:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:2.7:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:2.8:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:2.8:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:2.9:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:2.9:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:2.10:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:2.10:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:2.11:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:2.11:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:2.12:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:2.12:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:2.13:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:2.13:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.2:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.2:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.3:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.3:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.4:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.4:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.5:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.5:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.6:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.6:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.7:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.7:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.8:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.8:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.9:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.9:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.10:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.10:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.11:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.11:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.12:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.12:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.13:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.13:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.14:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.14:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.15:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.15:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.16:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.16:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.17:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.17:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.18:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.18:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.19:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.19:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.20:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.20:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.21:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.21:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.22:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.22:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.23:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.23:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.24:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.24:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.25:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.25:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.26:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.26:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.27:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.27:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.28:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.28:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.29:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.29:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.30:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.30:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.31:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.31:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.32:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.32:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.33:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.33:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.34:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.34:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.35:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.35:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.36:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.36:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.37:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.37:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.38:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.38:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.39:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.39:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.40:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.40:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.41:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.41:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.42:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.42:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.43:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.43:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.44:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.44:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.45:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.45:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.46:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.46:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.47:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.47:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.48:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.48:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:pmd:3.49:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:pmd:3.49:*:*:*:*:jenkins:*:*
CVSS
Base: 6.5 (as of 07-02-2018 - 12:18)
Impact:
Exploitability:
CWE CWE-611
CAPEC
  • XML External Entities Blowup
    This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:S/C:P/I:P/A:P
refmap via4
bid 102844
confirm https://jenkins.io/security/advisory/2018-01-22/
Last major update 07-02-2018 - 12:18
Published 23-01-2018 - 14:29
Last modified 07-02-2018 - 12:18
Back to Top