CVE-2019-1003015
Description
An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers with the ability to control the HTTP server (Jenkins) queried in preparation of job import to read arbitrary files, perform a denial of service attack, etc.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Job Import Plugin 2.1 and earlier has an XXE vulnerability allowing arbitrary file read and DoS when attacker controls the queried server.
Vulnerability
An XML external entity (XXE) processing vulnerability exists in Jenkins Job Import Plugin versions 2.1 and earlier. The flaw resides in the RestApiClient.java file at src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java. It is triggered when the plugin imports jobs from an external Jenkins server. An attacker who controls that server can include malicious XML with external entities in the response, leading to XXE processing on the Jenkins controller [1][2].
Exploitation
An attacker must be able to control the HTTP server that the Job Import Plugin queries during job import. This could be achieved by setting up a rogue Jenkins server or compromising an existing one. When the plugin makes a request to import jobs from that server, the attacker crafts a response containing an XML document with a malicious external entity. No additional authentication or permissions are required beyond the ability to influence the server response [1][2].
Impact
Successful exploitation allows the attacker to read arbitrary files from the Jenkins controller's file system, potentially exposing sensitive information such as credentials and configuration files. Additionally, the attacker can cause denial of service (DoS) by consuming resources through entity expansion or by causing the application to crash [1][2].
Mitigation
Jenkins has released a fix as part of the security advisory on 2019-01-28. Users should upgrade the Job Import Plugin to version 2.2 or later. No workaround is available for earlier versions [1][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:job-import-pluginMaven | < 3.0 | 3.0 |
Affected products
3<=2.1+ 1 more
- (no CPE)range: <=2.1
- (no CPE)range: 2.1 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-882r-r8fw-p538ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003015ghsaADVISORY
- jenkins.io/security/advisory/2019-01-28/mitrex_refsource_CONFIRM
- jenkins.io/security/advisory/2019-01-28/ghsaWEB
News mentions
0No linked articles in our index yet.