CVE-2019-10337 – org.jenkins-ci.plugins:token-macro

Package

Manager: maven
Name: org.jenkins-ci.plugins:token-macro
Vulnerable Version: >=0 <2.8

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00237 pctl0.46736

Details

Improper Restriction of XML External Entity Reference Jenkins Token Macro Plugin An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.

Metadata

Created: 2022-05-24T16:47:43Z
Modified: 2024-05-30T14:15:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g6h2-4x64-c59x/GHSA-g6h2-4x64-c59x.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-g6h2-4x64-c59x
Finding: F083
Auto approve: 1