SB2017122917 - XML External Entity injection in Jenkins Play Framework
Published: December 29, 2017 Updated: August 8, 2020
Security Bulletin ID
SB2017122917
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) XML External Entity injection (CVE-ID: CVE-2014-3630)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data.
Remediation
Install update from vendor's website.
References
- https://groups.google.com/forum/#!msg/play-framework/7uNX_ImTW08/AogWSjsTAyQJ
- https://groups.google.com/forum/#!topic/play-framework/WdbFvemsFDQ
- https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf
- https://playframework.com/security/vulnerability/CVE-2014-3630-XmlExternalEntity