XML External Entity Processing Vulnerability in Jenkins Self-Organizing Swarm Plug-in Modules
CVE-2019-10309

9.3CRITICAL

Key Information:

Vendor

Jenkins
Status
Jenkins Self-organizing Swarm Plug-in Modules Plugin
Vendor
CVE Published:
30 April 2019

What is CVE-2019-10309?

The Jenkins Self-Organizing Swarm Plug-in Modules contains a vulnerability that allows clients leveraging UDP broadcasts for discovering Jenkins masters to process XML External Entities. This flaw enables unauthorized attackers on the same network to read arbitrary files from Swarm clients, potentially leading to data exposure and confidentiality breaches. Addressing this vulnerability is crucial for maintaining the security of Jenkins installations and protecting sensitive information.

Affected Version(s)

Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.15 and earlier

References

http://www.openwall.com/lists/oss-security/2019/04/30/5
mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/108159
vdb-entryx_refsource_BID
https://www.talosintelligence.com/vulnerability_reports/T...
x_refsource_MISC

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.