CVE-2019-10327 (GCVE-0-2019-10327)

Vulnerability from cvelistv5 – Published: 2019-05-31 14:20 – Updated: 2024-08-04 22:17
VLAI?
Summary
An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Jenkins project Jenkins Pipeline Maven Integration Plugin Affected: 1.7.0 and earlier
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:17:20.349Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[oss-security] 20190531 Multiple vulnerabilities in Jenkins plugins",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2"
          },
          {
            "name": "108540",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/108540"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins Pipeline Maven Integration Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "status": "affected",
              "version": "1.7.0 and earlier"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory\u0027s content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T16:47:27.539Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "[oss-security] 20190531 Multiple vulnerabilities in Jenkins plugins",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2"
        },
        {
          "name": "108540",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/108540"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2019-10327",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins Pipeline Maven Integration Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "1.7.0 and earlier"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory\u0027s content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-611"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[oss-security] 20190531 Multiple vulnerabilities in Jenkins plugins",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2019/05/31/2"
            },
            {
              "name": "108540",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/108540"
            },
            {
              "name": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409",
              "refsource": "CONFIRM",
              "url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2019-10327",
    "datePublished": "2019-05-31T14:20:19",
    "dateReserved": "2019-03-29T00:00:00",
    "dateUpdated": "2024-08-04T22:17:20.349Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:jenkins:pipeline_maven_integration:*:*:*:*:*:jenkins:*:*\", \"versionEndIncluding\": \"1.7.0\", \"matchCriteriaId\": \"F6ACB812-76B5-482D-B21F-A606A20AE91A\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory\u0027s content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad de las entidades externas XML (XXE) en el Plugin Pipeline Maven Integration de Jenkins versi\\u00f3n 1.7.0 y anteriores, permit\\u00eda a los atacantes calificados  para controlar el contenido de un directorio temporal en el agente que ejecuta la compilaci\\u00f3n de Maven para que Jenkins analice un archivo XML creado maliciosamente que utiliza entidades externas para la extracci\\u00f3n de informaci\\u00f3n confidencial del servidor maestro de Jenkins, una falsificaci\\u00f3n de petici\\u00f3n del lado del servidor (SSRF) o ataques de Denegaci\\u00f3n de Servicio (DoS).\"}]",
      "id": "CVE-2019-10327",
      "lastModified": "2024-11-21T04:18:53.937",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.2}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:N/A:P\", \"baseScore\": 5.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2019-05-31T15:29:00.467",
      "references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2019/05/31/2\", \"source\": \"jenkinsci-cert@googlegroups.com\"}, {\"url\": \"http://www.securityfocus.com/bid/108540\", \"source\": \"jenkinsci-cert@googlegroups.com\"}, {\"url\": \"https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409\", \"source\": \"jenkinsci-cert@googlegroups.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2019/05/31/2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/108540\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-611\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-10327\",\"sourceIdentifier\":\"jenkinsci-cert@googlegroups.com\",\"published\":\"2019-05-31T15:29:00.467\",\"lastModified\":\"2024-11-21T04:18:53.937\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory\u0027s content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de las entidades externas XML (XXE) en el Plugin Pipeline Maven Integration de Jenkins versi\u00f3n 1.7.0 y anteriores, permit\u00eda a los atacantes calificados  para controlar el contenido de un directorio temporal en el agente que ejecuta la compilaci\u00f3n de Maven para que Jenkins analice un archivo XML creado maliciosamente que utiliza entidades externas para la extracci\u00f3n de informaci\u00f3n confidencial del servidor maestro de Jenkins, una falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) o ataques de Denegaci\u00f3n de Servicio (DoS).\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:P\",\"baseScore\":5.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:pipeline_maven_integration:*:*:*:*:*:jenkins:*:*\",\"versionEndIncluding\":\"1.7.0\",\"matchCriteriaId\":\"F6ACB812-76B5-482D-B21F-A606A20AE91A\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2019/05/31/2\",\"source\":\"jenkinsci-cert@googlegroups.com\"},{\"url\":\"http://www.securityfocus.com/bid/108540\",\"source\":\"jenkinsci-cert@googlegroups.com\"},{\"url\":\"https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2019/05/31/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/108540\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.