CVE-2019-10327 - OpenCVE

An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Jenkins	Pipeline Maven Integration

Configuration 1 [-]

cpe:2.3:a:jenkins:pipeline_maven_integration:*:*:*:*:*:jenkins:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2019/05/31/2
http://www.securityfocus.com/bid/108540
https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jenkins

Published: 2019-05-31T14:20:19

Updated: 2023-10-24T16:47:27.539Z

Reserved: 2019-03-29T00:00:00

Link: CVE-2019-10327

JSON object: View

NVD Information

Status : Modified

Published: 2019-05-31T15:29:00.467

Modified: 2023-10-25T18:16:16.037

Link: CVE-2019-10327

JSON object: View

Redhat Information

No data.

CWE

CWE-611

{"containers": {"cna": {"affected": [{"product": "Jenkins Pipeline Maven Integration Plugin", "vendor": "Jenkins project", "versions": [{"status": "affected", "version": "1.7.0 and earlier"}]}], "descriptions": [{"lang": "en", "value": "An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T16:47:27.539Z"}, "references": [{"name": "[oss-security] 20190531 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2"}, {"name": "108540", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/108540"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2019-10327", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins Pipeline Maven Integration Plugin", "version": {"version_data": [{"version_value": "1.7.0 and earlier"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-611"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20190531 Multiple vulnerabilities in Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2"}, {"name": "108540", "refsource": "BID", "url": "http://www.securityfocus.com/bid/108540"}, {"name": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409"}]}}}}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2019-10327", "datePublished": "2019-05-31T14:20:19", "dateReserved": "2019-03-29T00:00:00", "dateUpdated": "2023-10-24T16:47:27.539Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:pipeline_maven_integration:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "F6ACB812-76B5-482D-B21F-A606A20AE91A", "versionEndIncluding": "1.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks."}, {"lang": "es", "value": "Una vulnerabilidad de las entidades externas XML (XXE) en el Plugin Pipeline Maven Integration de Jenkins versi\u00f3n 1.7.0 y anteriores, permit\u00eda a los atacantes calificados para controlar el contenido de un directorio temporal en el agente que ejecuta la compilaci\u00f3n de Maven para que Jenkins analice un archivo XML creado maliciosamente que utiliza entidades externas para la extracci\u00f3n de informaci\u00f3n confidencial del servidor maestro de Jenkins, una falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) o ataques de Denegaci\u00f3n de Servicio (DoS)."}], "id": "CVE-2019-10327", "lastModified": "2023-10-25T18:16:16.037", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-05-31T15:29:00.467", "references": [{"source": "jenkinsci-cert@googlegroups.com", "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2"}, {"source": "jenkinsci-cert@googlegroups.com", "url": "http://www.securityfocus.com/bid/108540"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}