Allele Security Alert
ASA-2019-00098
Identifier(s)
ASA-2019-00098, SECURITY-905, CVE-2019-1003015
Title
XML External Entity (XXE) vulnerability in Job Import Plugin
Vendor(s)
CloudBees, Inc
Product(s)
Jenkins
Affected version(s)
Job Import Plugin up to and including 2.1
Fixed version(s)
Job Import Plugin version 3.0
Proof of concept
Unknown
Description
Job Import Plugin allows to import jobs from other Jenkins instances. As a first step in this process, Job Import Plugin sends a request to another Jenkins instance, parsing XML REST API output to obtain a list of jobs that could be imported.
Job Import Plugin did not configure the XML parser in a way that would prevent XML External Entity (XXE) processing. This allowed attackers able to control either the server Jenkins will query, or the URL Jenkins queries, to have it parse a maliciously crafted XML response that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery (SSRF), or denial-of-service attacks.
Technical details
Unknown
Credits
Thomas Chauchefoin (Synacktiv) and Julien Szlamowicz (Synacktiv)
Reference(s)
Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28
Jenkins Plugins
https://plugins.jenkins.io/job-import-plugin
CVE-2019-1003015
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003015
CVE-2019-1003015
https://nvd.nist.gov/vuln/detail/CVE-2019-1003015
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019