CVE-2019-10337 — XML External Entity (XXE) Injection in Jenkins Token Macro

CWE-611 — XML External Entity (XXE) Injection7 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 53.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Token Macro Jenkins Project Jenkins Token Macro Plugin

Timeline

PublishedJun 11

Latest updateMay 24

Description

An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_token_macro_plugin2.7 and earlier

▶NVDjenkins/token_macro2.7

🔴Vulnerability Details

GHSA

Improper Restriction of XML External Entity Reference Jenkins Token Macro Plugin↗2022-05-24

▶

OSV

Improper Restriction of XML External Entity Reference Jenkins Token Macro Plugin↗2022-05-24

▶

CVEList

CVE-2019-10337: An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2↗2019-06-11

▶

📋Vendor Advisories

Red Hat

jenkins-plugin-token-macro: XML External Entity processing the ${XML} macro↗2019-06-11

▶

Jenkins

Jenkins Security Advisory 2019-06-11↗2019-06-11

▶

💬Community

Bugzilla

CVE-2019-10337 jenkins-plugin-token-macro: XML External Entity processing the ${XML} macro↗2019-06-12

▶