CVE-2019-10327: Improper Restriction of XML External Entity Reference

May 24, 2022 (updated September 9, 2022)

An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory’s content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.

References

www.openwall.com/lists/oss-security/2019/05/31/2
github.com/advisories/GHSA-6755-jgp4-8q7h
jenkins.io/security/advisory/2019-05-31/
nvd.nist.gov/vuln/detail/CVE-2019-10327

Detect and mitigate CVE-2019-10327 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →