CVE-2025-64134

high

Description

Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity (XXE) attacks.

References

https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-2936

Details

Source: Mitre, NVD

Published: 2025-10-29

Updated: 2025-10-30

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:P/A:N

Severity: High

CVSS v3

Base Score: 7.1

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N