CVE-2019-10327

{"id": "CVE-2019-10327", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2019-05-31T15:29:00.467", "references": [{"url": "http://www.openwall.com/lists/oss-security/2019/05/31/2", "source": "jenkinsci-cert@googlegroups.com"}, {"url": "http://www.securityfocus.com/bid/108540", "source": "jenkinsci-cert@googlegroups.com"}, {"url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1409", "tags": ["Vendor Advisory"], "source": "jenkinsci-cert@googlegroups.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "An XML external entities (XXE) vulnerability in Jenkins Pipeline Maven Integration Plugin 1.7.0 and earlier allowed attackers able to control a temporary directory's content on the agent running the Maven build to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks."}, {"lang": "es", "value": "Una vulnerabilidad de las entidades externas XML (XXE) en el Plugin Pipeline Maven Integration de Jenkins versi\u00f3n 1.7.0 y anteriores, permit\u00eda a los atacantes calificados para controlar el contenido de un directorio temporal en el agente que ejecuta la compilaci\u00f3n de Maven para que Jenkins analice un archivo XML creado maliciosamente que utiliza entidades externas para la extracci\u00f3n de informaci\u00f3n confidencial del servidor maestro de Jenkins, una falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) o ataques de Denegaci\u00f3n de Servicio (DoS)."}], "lastModified": "2023-10-25T18:16:16.037", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:pipeline_maven_integration:*:*:*:*:*:jenkins:*:*", "vulnerable": true, "matchCriteriaId": "F6ACB812-76B5-482D-B21F-A606A20AE91A", "versionEndIncluding": "1.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com"}