CVE-2019-10337: Improper Restriction of XML External Entity Reference Jenkins Token Macro Plugin
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.46811%
CWE
Published
5/24/2022
Updated
5/30/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:token-macro | maven | <= 2.7 | 2.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insecure XML parsing in the ReadXML
class's call()
method. The pre-patch code used DocumentBuilderFactory.newInstance()
without security hardening, leaving XXE protections disabled. The commit diff shows the vulnerability was fixed by: 1) Introducing a createFactory()
method that disables dangerous XML features 2) Setting secure processing attributes 3) Adding a null EntityResolver
. The original implementation lacked these protections, making the call()
method the vulnerable entry point for XXE attacks when processing XML files with the ${XML}
macro.