CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10337 – jenkins-plugin-token-macro: XML External Entity processing the ${XML} macro
https://notcve.org/view.php?id=CVE-2019-10337
An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the "XML" macro to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks. Una vulnerabilidad de entidades externas XML (XXE) en el Plugin Token Macro de Jenkins versión 2.7 y anteriores, permitía a los atacantes capaces de controlar el contenido del archivo de entrada de la macro "XML" para tener Jenkins que resolver las entidades externas, resultando en la extracción de secretos del agente de Jenkins, la falsificación de peticiones del lado del servidor o ataques de denegación de servicio. • http://www.openwall.com/lists/oss-security/2019/06/11/1 http://www.securityfocus.com/bid/108747 https://access.redhat.com/errata/RHSA-2019:1636 https://access.redhat.com/errata/RHSA-2019:1851 https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1399 https://access.redhat.com/security/cve/CVE-2019-10337 https://bugzilla.redhat.com/show_bug.cgi?id=1719782 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2019-1003011
https://notcve.org/view.php?id=CVE-2019-1003011
An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation. Existe una vulnerabilidad de exposición de información en Jenkins Token Macro Plugin, en versiones 2.5 y anteriores, en src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java y src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java, que permite que los atacantes con la capacidad de controlar entradas de macros de tokens (como los registros de cambios de SCM) definan entradas recursivas que resultan en una evaluación inesperada de las macros. • https://access.redhat.com/errata/RHBA-2019:0326 https://access.redhat.com/errata/RHBA-2019:0327 https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102 • CWE-674: Uncontrolled Recursion •