XML External Entity injection in Jenkins Play Framework
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2014-3630 |
| CWE-ID | CWE-611 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Play Framework Web applications / Modules and components for CMS |
| Vendor | Jenkins |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) XML External Entity injection
EUVDB-ID: #VU37721
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2014-3630
CWE-ID:
CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data.
MitigationInstall update from vendor's website.
Vulnerable software versionsPlay Framework: 2.2.0 - 2.3.4
CPE2.3- cpe:2.3:a:jenkins:play_framework:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:play_framework:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:play_framework:2.2.2:*:*:*:*:*:*:*
https://groups.google.com/forum/#!msg/play-framework/7uNX_ImTW08/AogWSjsTAyQJ
https://groups.google.com/forum/#!topic/play-framework/WdbFvemsFDQ
https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf
https://playframework.com/security/vulnerability/CVE-2014-3630-XmlExternalEntity
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
