Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02NzU1LWpncDQtOHE3aM4AAqzp
XML External Entity processing vulnerability in Pipeline Maven Integration Jenkins Plugin
An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.
Permalink: https://github.com/advisories/GHSA-6755-jgp4-8q7hJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02NzU1LWpncDQtOHE3aM4AAqzp
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Identifiers: GHSA-6755-jgp4-8q7h, CVE-2019-10327
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10327
- https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409
- http://www.openwall.com/lists/oss-security/2019/05/31/2
- http://www.securityfocus.com/bid/108540
- https://github.com/jenkinsci/pipeline-maven-plugin/commit/e7cb858852c05d2423e3fd9922a090982dcd6392
- https://github.com/advisories/GHSA-6755-jgp4-8q7h
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:pipeline-maven
Affected Version Ranges: < 3.7.1Fixed in: 3.7.1