CVE-2019-10309 Information

Description

Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses allowing unauthorized attackers on the same network to read arbitrary files from Swarm clients.

CVSS Vector

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

Reference

http://www.openwall.com/lists/oss-security/2019/04/30/5 http://www.securityfocus.com/bid/108159 https://jenkins.io/security/advisory/2019-04-30/SECURITY-1252 https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0783

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

HIGH

Base Severity

9.3