CVE-2019-10327

Published: May 31, 2019Modified: Nov 21, 2024

8.1

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.

Affected (1)

Products: Jenkins: Pipeline Maven Integration

1 product

Pipeline Maven Integration

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jenkins Pipeline Maven Integration	Up to 1.7.0

Related CWEs

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (6)

http://www.openwall.com/lists/oss-security/2019/05/31/2

Source: jenkinsci-cert@googlegroups.com

http://www.securityfocus.com/bid/108540

Source: jenkinsci-cert@googlegroups.com

https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409

Source: jenkinsci-cert@googlegroups.com

Vendor Advisory

http://www.openwall.com/lists/oss-security/2019/05/31/2

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/108540

Source: af854a3a-2127-422b-91ae-364da2661108

https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.