CVE Vulnerability

CVE-2019-10309

Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attackers on the same network to read arbitrary files from Swarm clients.

4.8 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.5 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact PARTIAL

Scope

9.3 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.8

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1252 Vendor Advisory
http://www.openwall.com/lists/oss-security/2019/04/30/5 Mailing List Third Party Advisory
http://www.securityfocus.com/bid/108159
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0783
Configurations

Configuration 1

cpe:2.3:a:jenkins:self-organizing_swarm_modules:-:*:*:*:*:jenkins:*:*
Information

Published : 2019-04-30 01:29

Updated : 2019-05-06 04:29

NVD link : CVE-2019-10309

Mitre link : CVE-2019-10309

Products Affected
No products.
CWE
CWE-611

Improper Restriction of XML External Entity Reference