CVE-2019-1003015: An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in…

critical9.1CVSS 3.0

AVNACLPRNUINSUCHINAH

An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to control the HTTP server (Jenkins) queried in preparation of job import to read arbitrary files, perform a denial of service attack, etc.

Affected

19 ranges

Vendor	Product	Version range	Fixed in
jenkins	active_directory_plugin	—	—
jenkins	blue_ocean_plugin	—	—
jenkins	config_file_provider_plugin	—	—
jenkins	from_job_import_plugin	—	—
jenkins	git_plugin	—	—
jenkins	github_authentication_plugin	—	—
jenkins	groovy_plugin	—	—
jenkins	jenkins_startup_or_after_monitoring_plugin	—	—
jenkins	job_import	<= 2.1	—
jenkins	job_import_plugin	—	—
jenkins	kanboard_plugin	—	—
jenkins	monitoring_plugin	—	—
jenkins	openid_connect_authentication_plugin	—	—
jenkins	script_security_plugin	—	—
jenkins	token_macro_plugin	—	—
jenkins	warnings_next_generation_plugin	—	—
jenkins	warnings_plugin	—	—
jenkins	xml_parser_used_in_job_import_plugin	—	—
jenkins_project	jenkins_job_import_plugin	—	—