CVE-2019-16549

CWE-611 — XML External Entity (XXE)5 documents5 sources

Severity

8.1HIGH

EPSS

0.1%

top 75.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Maven Release Plugin Jenkins Maven

Timeline

PublishedDec 17

Latest updateMay 24

Description

Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5jenkins_project/jenkins_maven_release_pluginunspecified — 0.16.1

▶Mavenorg.jenkins-ci.plugins.m2release:m2release< 0.16.2

▶NVDjenkins/maven0.16.1

🔴Vulnerability Details

GHSA

Jenkins Maven Release Plug-in Plugin XXE vulnerability↗2022-05-24

▶

OSV

Jenkins Maven Release Plug-in Plugin XXE vulnerability↗2022-05-24

▶

CVEList

CVE-2019-16549: Jenkins Maven Release Plugin 0↗2019-12-17

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2019-12-17↗2019-12-17

▶