Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2019-10309

CVE-2019-10309:
Jenkins Self-Organizing Swarm Plug-in Modules Plugin XXE vulnerability via UDP broadcast response

6.1

CVSS Score

Basic Information

CVE ID
CVE-2019-10309
GHSA ID
GHSA-w898-3ph8-5pgm
EPSS Score
-
CWE
CWE-611
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:swarmmaven<= 3.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper XML parsing in the UDP discovery mechanism. The Talos report explicitly identifies getCandidateFromDatagramResponses() as the method handling datagram responses, and CWE-611 confirms this is an XXE vulnerability. The function's failure to configure XML parser security features (like disabling DTDs/external entities) directly enables the attack. The exploit PoC demonstrates malicious XML processing through this vector, confirming the function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Sw*rm Plu*in *llows *li*nts to *uto-*is*ov*r J*nkins inst*n**s on t** s*m* n*twork t*rou** * U*P *is*ov*ry r*qu*st. R*spons*s to t*is r*qu*st *r* XML *o*um*nts. Sw*rm Plu*in *o*s not *on*i*ur* t** XML p*rs*r in * w*y t**t woul* pr*v*nt XML *

Reasoning

T** vuln*r**ility st*ms *rom improp*r XML p*rsin* in t** U*P *is*ov*ry m****nism. T** T*los r*port *xpli*itly i**nti*i*s **t**n*i**t**rom**t**r*mR*spons*s() *s t** m*t*o* **n*lin* **t**r*m r*spons*s, *n* *W*-*** *on*irms t*is is *n XX* vuln*r**ility.