XML External Entities Vulnerability in Jenkins Token Macro Plugin
CVE-2019-10337

7.5HIGH

Key Information:

Vendor

Jenkins
Status
Jenkins Token Macro Plugin
Vendor
CVE Published:
11 June 2019

What is CVE-2019-10337?

An XML external entities (XXE) vulnerability exists in Jenkins Token Macro Plugin versions 2.7 and earlier. This issue allows remote attackers to manipulate the input file for the 'XML' macro to resolve external entities. The exploitation of this vulnerability can lead to the unauthorized extraction of sensitive data from the Jenkins agent, enabling server-side request forgery and potential denial-of-service attacks.

Affected Version(s)

Jenkins Token Macro Plugin 2.7 and earlier

References

http://www.openwall.com/lists/oss-security/2019/06/11/1
mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/108747
vdb-entryx_refsource_BID
https://access.redhat.com/errata/RHSA-2019:1636
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.