Junit
CVE-2018-1000056
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 11 maven packages depend on org.jenkins-ci.plugins:junit (10 direct, 1 indirect)
Ecosystem-wide dependent count for version 1.24.
DescriptionNVD
Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
AnalysisAI
Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as XML External Entity (XXE) (CWE-611), which allows attackers to read arbitrary files or perform SSRF through XML processing. Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks. Affected products include: Jenkins Junit.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Disable external entity processing in XML parsers, use JSON instead of XML where possible.
Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, re
Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in a
Jenkins JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of test results, resulting in a stor
Share
External POC / Exploit Code
Leaving vuln.today