CVE-2019-10337: XEE
First published: Tue Jun 11 2019(Updated: )
An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/atomic-openshift | <0:3.11.129-1.git.0.bd4f2d5.el7 | 0:3.11.129-1.git.0.bd4f2d5.el7 |
| redhat/jenkins | <2-plugins-0:3.11.1560870549-1.el7 | 2-plugins-0:3.11.1560870549-1.el7 |
| redhat/jenkins | <2-plugins-0:4.1.1561471763-1.el7 | 2-plugins-0:4.1.1561471763-1.el7 |
| redhat/jenkins-plugin-token-macro | <2.8 | 2.8 |
| Jenkins Token Macro Jenkins | <=2.7 | |
| maven/org.jenkins-ci.plugins:token-macro | <=2.7 | 2.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-10337
- https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1399
- http://www.openwall.com/lists/oss-security/2019/06/11/1
- https://access.redhat.com/errata/RHSA-2019:1636
- https://access.redhat.com/errata/RHSA-2019:1851
- http://www.securityfocus.com/bid/108747
- https://github.com/jenkinsci/token-macro-plugin/commit/004319f1b6e2a0f097a096b9df9dc19a5ac0d9b0
- https://github.com/advisories/GHSA-g6h2-4x64-c59x (Advisory)
- https://jenkins.io/security/advisory/2019-06-11/
- https://github.com/openshift/jenkins/blob/master/README.md#jenkins-security-advisories-the-master-image-from-this-repository-and-the-oc-binary
- https://access.redhat.com/security/cve/cve-2019-10337
- https://bugzilla.redhat.com/show_bug.cgi?id=1719782
- https://www.cve.org/CVERecord?id=CVE-2019-10337 https://nvd.nist.gov/vuln/detail/CVE-2019-10337 https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1399
- collector/redhat-cve
- agent/first-publish-date
- agent/type
- agent/weakness
- agent/references
- agent/severity
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-10337
- agent/software-canonical-lookup
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-g6h2-4x64-c59x
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- agent/trending
- package-manager/redhat
- vendor/jenkins
- canonical/jenkins token macro jenkins
- version/jenkins token macro jenkins/2.7
- package-manager/maven