[org.jenkins-ci.plugins:job-import-plugin] XXE vulnerability in Jenkins Job Import Plugin

An XML external entity (XXE) processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to control the HTTP server (Jenkins) queried in preparation of job import to read arbitrary files, perform a denial of service attack, etc.

References

https://nvd.nist.gov/vuln/detail/CVE-2019-1003015
https://jenkins.io/security/advisory/2019-01-28/#SECURITY-905%20(1)
https://github.com/advisories/GHSA-882r-r8fw-p538

Gadget Gate

[org.jenkins-ci.plugins:job-import-plugin] XXE vulnerability in Jenkins Job Import Plugin

References

Archives