CVE-2019-1003015

CWE-611 — XML External Entity (XXE)5 documents5 sources

Severity

9.1CRITICAL

EPSS

0.1%

top 70.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins JOB Import Jenkins Project Jenkins JOB Import Plugin

Timeline

PublishedFeb 6

Latest updateMay 13

Description

An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to control the HTTP server (Jenkins) queried in preparation of job import to read arbitrary files, perform a denial of service attack, etc.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:job-import-plugin< 3.0

▶CVEListV5jenkins_project/jenkins_job_import_plugin2.1 and earlier

▶NVDjenkins/job_import2.1

🔴Vulnerability Details

OSV

XXE vulnerability in Jenkins Job Import Plugin↗2022-05-13

▶

GHSA

XXE vulnerability in Jenkins Job Import Plugin↗2022-05-13

▶

CVEList

CVE-2019-1003015: An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2↗2019-02-06

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2019-01-28↗2019-01-28

▶