CVE-2019-10327: XML External Entity processing vulnerability in Pipeline Maven Integration Jenkins Plugin
8.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.36217%
CWE
Published
5/24/2022
Updated
12/19/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.plugins:pipeline-maven | maven | < 3.7.1 | 3.7.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from insecure XML parsing configuration in MavenSpyLogProcessor.java. The patch explicitly adds XXE protections: 1) disables DTD processing, 2) enables secure processing feature, 3) disables external entities, and 4) adds a restrictive entity resolver. The original code lacked these protections, making the DocumentBuilder initialization in processMavenSpyLogs() the vulnerable point. The direct correlation between the patch's security hardening and CWE-611 confirms this assessment.