Base Score

CRITICAL9.1

CVE-2019-1003015

An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to control the HTTP server (Jenkins) queried in preparation of job import to read arbitrary files, perform a denial of service attack, etc.

VectorNETWORK

Published Byjenkinsci-cert@googlegroups.com

Published DateFeb 06, 2019, 16:29

Affected Versions(1)

org.jenkins-ci.plugins:job-import-plugin(Maven)

Introduced0

Fixed3.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.jenkins-ci.plugins:job-import-plugin(Maven)	0	3.0	N/A

Weakness Type (CWE):CWE-611

CVSS Metrics

Base Score

9.1

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Base Severity

CRITICAL

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

HIGH

References

https://jenkins.io/security/advisory/2019-01-28/#SECURITY-905%20%281%29

Base Score

CRITICAL9.1

Weakness Type (CWE):CWE-611

CVSS Metrics

Base Score

9.1

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Base Severity

CRITICAL

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

HIGH