CVE-2019-10309 - Improper Restriction of XML External Entity Reference

Severity

48%

Complexity

65%

Confidentiality

81%

Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attackers on the same network to read arbitrary files from Swarm clients.

Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attackers on the same network to read arbitrary files from Swarm clients.

CVSS 3.0 Base Score 9.3. CVSS Attack Vector: adjacent_network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H).

CVSS 2.0 Base Score 4.8. CVSS Attack Vector: adjacent_network. CVSS Attack Complexity: low. CVSS Vector: (AV:A/AC:L/Au:N/C:P/I:N/A:P).

Overview

First reported 5 years ago

2019-04-30 13:29:00

Last updated 5 years ago

2019-05-06 16:29:00

Affected Software

Jenkins Self-Organizing Swarm Modules for Jenkins

jenkins

References

[oss-security] 20190430 Multiple vulnerabilities in Jenkins plugins

Mailing List, Third Party Advisory

108159

https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1252

Vendor Advisory

https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0783

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.