CVE-2019-16549: Improper Restriction of XML External Entity Reference

May 24, 2022 (updated October 27, 2023)

Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents.

References

www.openwall.com/lists/oss-security/2019/12/17/1
github.com/advisories/GHSA-7mf5-79gv-66gh
jenkins.io/security/advisory/2019-12-17/
nvd.nist.gov/vuln/detail/CVE-2019-16549

Detect and mitigate CVE-2019-16549 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →