VYPR
← All advisories
Critical severityNVD Advisory· Published Sep 26, 2018· Updated Aug 5, 2024

CVE-2018-15531

CVE-2018-15531

Description

JavaMelody before 1.74.0 allows XXE via the parseSoapMethodName function, enabling XML external entity processing in monitoring applications.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

JavaMelody before 1.74.0 allows XXE via the parseSoapMethodName function, enabling XML external entity processing in monitoring applications.

Vulnerability

CVE-2018-15531 is an XXE (XML External Entity) vulnerability in JavaMelody, a monitoring tool for Java applications. The flaw exists in the parseSoapMethodName method in bull/javamelody/PayloadNameRequestWrapper.java. Affected versions are JavaMelody before 1.74.0 [1][4]. The vulnerability is present when the application processes SOAP requests, allowing the XML parser to resolve external entities.

Exploitation

An attacker can exploit this vulnerability by sending a crafted XML SOAP request to a JavaMelody instance. No authentication is required if the monitoring endpoint is publicly accessible, but the attacker must be able to reach the SOAP endpoint. By injecting an external entity definition referencing a local file or an external server, the attacker can trigger the XML parser to evaluate the entity, leading to information disclosure [2][3][4].

Impact

Successful exploitation results in XML External Entity (XXE) processing, which can lead to disclosure of sensitive files on the server, server-side request forgery (SSRF), or denial of service. The impact is primarily information disclosure and potential reconnaissance for further attacks [1][2][3].

Mitigation

The vulnerability is fixed in JavaMelody version 1.74.0 [1][2][3]. Users should upgrade to this version or later. There is no known workaround. As of this writing, this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. ReleaseNotes
  2. Jenkins Security Advisory 2018-09-25
  3. security - Multiple vulnerabilities in Jenkins plugins
  4. NVD - CVE-2018-15531

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
net.bull.javamelody:javamelody-coreMaven
< 1.74.01.74.0

Affected products

1

Patches

2
f3a12ae1b0f1

[maven-release-plugin] prepare release javamelody-core-1.74.0

https://github.com/javamelody/javamelodyevernatSep 4, 2018via osv
commit
1 file changed · +2 2
  • javamelody-core/pom.xml+2 2 modified
    @@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>

 	<groupId>net.bull.javamelody</groupId>

 	<artifactId>javamelody-core</artifactId>

-	<version>1.74.0-SNAPSHOT</version>

+	<version>1.74.0</version>

 	<packaging>jar</packaging>

 	<name>JavaMelody - Core</name>

 	<description>Monitoring of JavaEE applications</description>

@@ -30,7 +30,7 @@
 		<connection>scm:git:git@github.com:javamelody/javamelody.git</connection>

 		<developerConnection>scm:git:git@github.com:javamelody/javamelody.git</developerConnection>

 		<url>https://github.com/javamelody/javamelody</url>

-		<tag>HEAD</tag>

+		<tag>javamelody-core-1.74.0</tag>

 	</scm>

 	<ciManagement>

 		<system>Jenkins</system>
ef111822562d

fix for security

https://github.com/javamelody/javamelodyevernatSep 4, 2018via ghsa
commit
1 file changed · +2 0
  • javamelody-core/src/main/java/net/bull/javamelody/PayloadNameRequestWrapper.java+2 0 modified
    @@ -235,6 +235,8 @@ private static String parseSoapMethodName(InputStream stream, String charEncodin
 		try {

 			// newInstance() et pas newFactory() pour java 1.5 (issue 367)

 			final XMLInputFactory factory = XMLInputFactory.newInstance();

+			factory.setProperty(XMLInputFactory.SUPPORT_DTD, false); // disable DTDs entirely for that factory

+			factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); // disable external entities

 			final XMLStreamReader xmlReader;

 			if (charEncoding != null) {

 				xmlReader = factory.createXMLStreamReader(stream, charEncoding);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.