Jenkins JDepend Plugin XML External Entity Vulnerability

Vulnerability

A XML external entity (XXE) vulnerability exists in the JDepend Plugin for Jenkins, specifically in versions through 1.3.1. The plugin includes an outdated version of the JDepend Maven Plugin, which does not properly configure its XML parser to mitigate XXE attacks. This oversight allows attackers to craft input files for the 'Report JDepend' step that, when processed by Jenkins, could extract sensitive information from the Jenkins controller or exploit server-side request forgery.

Impact

Exploitation of this vulnerability could lead to unauthorized access to secrets stored in Jenkins or the execution of server-side request forgery attacks.

Added: Oct 29, 2025, 2:33 PM

Updated: Oct 29, 2025, 2:33 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

5.2

remediation

0.0

relevance

0.9

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

5.2

remediation

0.0

relevance

0.9

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jenkins JDepend Plugin XML External Entity Vulnerability

Vulnerability

Impact

Affected Products

Jenkins JDepend Plugin

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating