Miggo Logo

CVE-2019-10337: Improper Restriction of XML External Entity Reference Jenkins Token Macro Plugin

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.46811%
Published
5/24/2022
Updated
5/30/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:token-macromaven<= 2.72.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure XML parsing in the ReadXML class's call() method. The pre-patch code used DocumentBuilderFactory.newInstance() without security hardening, leaving XXE protections disabled. The commit diff shows the vulnerability was fixed by: 1) Introducing a createFactory() method that disables dangerous XML features 2) Setting secure processing attributes 3) Adding a null EntityResolver. The original implementation lacked these protections, making the call() method the vulnerable entry point for XXE attacks when processing XML files with the ${XML} macro.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n XML *xt*rn*l *ntiti*s (XX*) vuln*r**ility in J*nkins Tok*n M**ro Plu*in *.* *n* **rli*r *llow** *tt**k*rs **l* to *ontrol * t** *ont*nt o* t** input *il* *or t** "XML" m**ro to **v* J*nkins r*solv* *xt*rn*l *ntiti*s, r*sultin* in t** *xtr**tion o*

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rsin* in t** `R***XML` *l*ss's `**ll()` m*t*o*. T** pr*-p*t** *o** us** `*o*um*nt*uil**r***tory.n*wInst*n**()` wit*out s**urity **r**nin*, l**vin* XX* prot**tions *is**l**. T** *ommit *i** s*ows t** vuln*r*