CVE-2019-10309 - OpenCVE

Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attackers on the same network to read arbitrary files from Swarm clients.

No CVSS v3.1

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

AV:A/AC:L/Au:N/C:P/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Jenkins	Self-organizing Swarm Modules

Configuration 1 [-]

cpe:2.3:a:jenkins:self-organizing_swarm_modules:-:*:*:*:*:jenkins:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2019/04/30/5	Mailing List Third Party Advisory
http://www.securityfocus.com/bid/108159
https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1252	Vendor Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0783

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jenkins

Published: 2019-04-30T12:25:17

Updated: 2023-10-24T16:47:06.212Z

Reserved: 2019-03-29T00:00:00

Link: CVE-2019-10309

JSON object: View

NVD Information

Status : Modified

Published: 2019-04-30T13:29:05.407

Modified: 2023-10-25T18:16:14.857

Link: CVE-2019-10309

JSON object: View

Redhat Information

No data.

CWE

CWE-611

{"containers": {"cna": {"affected": [{"product": "Jenkins Self-Organizing Swarm Plug-in Modules Plugin", "vendor": "Jenkins project", "versions": [{"status": "affected", "version": "3.15 and earlier"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attackers on the same network to read arbitrary files from Swarm clients."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T16:47:06.212Z"}, "references": [{"name": "[oss-security] 20190430 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2019/04/30/5"}, {"name": "108159", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/108159"}, {"tags": ["x_refsource_MISC"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0783"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1252"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2019-10309", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins Self-Organizing Swarm Plug-in Modules Plugin", "version": {"version_data": [{"version_value": "3.15 and earlier"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attackers on the same network to read arbitrary files from Swarm clients."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-611"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20190430 Multiple vulnerabilities in Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/04/30/5"}, {"name": "108159", "refsource": "BID", "url": "http://www.securityfocus.com/bid/108159"}, {"name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0783", "refsource": "MISC", "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0783"}, {"name": "https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1252", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1252"}]}}}}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2019-10309", "datePublished": "2019-04-30T12:25:17", "dateReserved": "2019-03-29T00:00:00", "dateUpdated": "2023-10-24T16:47:06.212Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:self-organizing_swarm_modules:-:*:*:*:*:jenkins:*:*", "matchCriteriaId": "EA4F4D41-3BEE-443D-8892-738E297DF7BB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attackers on the same network to read arbitrary files from Swarm clients."}, {"lang": "es", "value": "En los Plugin Self-Organizing Swarm y Modules de Jenkins, clientes que usan difusi\u00f3n UDP para encontrar servidores maestros Jenkins no impiden el procesamiento de entidades externas XML al procesar las respuestas, lo que permite a los atacantes no autorizados de la misma red leer de manera arbitraria archivos de clientes Swarm."}], "id": "CVE-2019-10309", "lastModified": "2023-10-25T18:16:14.857", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-30T13:29:05.407", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2019/04/30/5"}, {"source": "jenkinsci-cert@googlegroups.com", "url": "http://www.securityfocus.com/bid/108159"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1252"}, {"source": "jenkinsci-cert@googlegroups.com", "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0783"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}