CVE-2019-1003015: Improper Restriction of XML External Entity Reference

May 13, 2022 (updated May 26, 2022)

An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to control the HTTP server (Jenkins) queried in preparation of job import to read arbitrary files, perform a denial of service attack, etc.

References

github.com/advisories/GHSA-882r-r8fw-p538
jenkins.io/security/advisory/2019-01-28/
nvd.nist.gov/vuln/detail/CVE-2019-1003015

Code Behaviors & Features

Detect and mitigate CVE-2019-1003015 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →