CVE-2025-64134
BaseFortify
Publication date: 2025-10-29
Last updated on: 2025-11-05
Assigner: Jenkins Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jenkins | jdepend | to 1.3.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Jenkins JDepend Plugin version 1.3.1 and earlier, which includes an outdated JDepend Maven Plugin. The issue is that the XML parser used by the plugin is not configured to prevent XML external entity (XXE) attacks, which can allow an attacker to exploit the XML processing to access unauthorized data or cause other malicious effects.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker to perform XML external entity (XXE) attacks, potentially leading to unauthorized access to sensitive information (confidentiality impact is high), partial integrity compromise, and no impact on availability. This could result in data leaks or manipulation within the affected Jenkins environment.