cve-2019-10327
Vulnerability from cvelistv5
Published
2019-05-31 14:20
Modified
2024-08-04 22:17
Severity ?
EPSS score ?
Summary
An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Jenkins project | Jenkins Pipeline Maven Integration Plugin |
Version: 1.7.0 and earlier |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T22:17:20.349Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "[oss-security] 20190531 Multiple vulnerabilities in Jenkins plugins", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2" }, { "name": "108540", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/108540" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Jenkins Pipeline Maven Integration Plugin", "vendor": "Jenkins project", "versions": [ { "status": "affected", "version": "1.7.0 and earlier" } ] } ], "descriptions": [ { "lang": "en", "value": "An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory\u0027s content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks." } ], "providerMetadata": { "dateUpdated": "2023-10-24T16:47:27.539Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "[oss-security] 20190531 Multiple vulnerabilities in Jenkins plugins", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2" }, { "name": "108540", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/108540" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2019-10327", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Jenkins Pipeline Maven Integration Plugin", "version": { "version_data": [ { "version_value": "1.7.0 and earlier" } ] } } ] }, "vendor_name": "Jenkins project" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory\u0027s content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-611" } ] } ] }, "references": { "reference_data": [ { "name": "[oss-security] 20190531 Multiple vulnerabilities in Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2" }, { "name": "108540", "refsource": "BID", "url": "http://www.securityfocus.com/bid/108540" }, { "name": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409" } ] } } } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2019-10327", "datePublished": "2019-05-31T14:20:19", "dateReserved": "2019-03-29T00:00:00", "dateUpdated": "2024-08-04T22:17:20.349Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2019-10327\",\"sourceIdentifier\":\"jenkinsci-cert@googlegroups.com\",\"published\":\"2019-05-31T15:29:00.467\",\"lastModified\":\"2024-11-21T04:18:53.937\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory\u0027s content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de las entidades externas XML (XXE) en el Plugin Pipeline Maven Integration de Jenkins versi\u00f3n 1.7.0 y anteriores, permit\u00eda a los atacantes calificados para controlar el contenido de un directorio temporal en el agente que ejecuta la compilaci\u00f3n de Maven para que Jenkins analice un archivo XML creado maliciosamente que utiliza entidades externas para la extracci\u00f3n de informaci\u00f3n confidencial del servidor maestro de Jenkins, una falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) o ataques de Denegaci\u00f3n de Servicio (DoS).\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:P\",\"baseScore\":5.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:pipeline_maven_integration:*:*:*:*:*:jenkins:*:*\",\"versionEndIncluding\":\"1.7.0\",\"matchCriteriaId\":\"F6ACB812-76B5-482D-B21F-A606A20AE91A\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2019/05/31/2\",\"source\":\"jenkinsci-cert@googlegroups.com\"},{\"url\":\"http://www.securityfocus.com/bid/108540\",\"source\":\"jenkinsci-cert@googlegroups.com\"},{\"url\":\"https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2019/05/31/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/108540\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.