VYPR
← All advisories
High severityNVD Advisory· Published May 31, 2019· Updated Aug 4, 2024

CVE-2019-10327

CVE-2019-10327

Description

An XXE vulnerability in Jenkins Pipeline Maven Integration Plugin allows attackers to extract secrets, perform SSRF, or cause DoS by controlling temporary directory content.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An XXE vulnerability in Jenkins Pipeline Maven Integration Plugin allows attackers to extract secrets, perform SSRF, or cause DoS by controlling temporary directory content.

The Jenkins Pipeline Maven Integration Plugin failed to disable XML External Entity (XXE) processing in its XML parser, allowing attackers to inject malicious XML content. This vulnerability stems from the use of an unsafe default configuration for DocumentBuilderFactory, which does not prevent external entity expansion [1][2].

To exploit this, an attacker must have the ability to control the contents of a temporary directory on the agent where the Maven build executes. By placing a crafted XML file in that directory, the attacker can trigger XXE processing during the build, without requiring authentication or special permissions beyond access to the agent's file system [2].

The impact is significant: an attacker can extract secrets from the Jenkins master, perform server-side request forgery (SSRF) attacks, or cause denial-of-service (DoS) conditions by consuming resources through entity expansion [1][2]. The vulnerability was assigned a CVSS high severity rating.

The issue has been addressed in version 3.7.1 of the plugin. The fix involves configuring the XML parser to disallow doctype declarations and disable external entities, as demonstrated in the commit [4]. Users should update to the latest version immediately [2][3].

References
  1. NVD - CVE-2019-10327
  2. Jenkins Security Advisory 2019-05-31
  3. security - Multiple vulnerabilities in Jenkins plugins
  4. [SECURITY-1409] · jenkinsci/pipeline-maven-plugin@e7cb858

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:pipeline-mavenMaven
< 3.7.13.7.1

Affected products

2

Patches

1
e7cb858852c0

[SECURITY-1409]

https://github.com/jenkinsci/pipeline-maven-pluginCyrille Le ClercMay 27, 2019via ghsa
commit
2 files changed · +61 5
  • jenkins-plugin/src/main/java/org/jenkinsci/plugins/pipeline/maven/MavenSpyLogProcessor.java+34 5 modified
    @@ -26,32 +26,30 @@
 
 import hudson.FilePath;
 import hudson.model.Run;
-import hudson.model.StreamBuildListener;
 import hudson.model.TaskListener;
 import jenkins.model.InterruptedBuildAction;
 import org.apache.commons.lang.StringUtils;
 import org.jenkinsci.plugins.pipeline.maven.publishers.JenkinsMavenEventSpyLogsPublisher;
+import org.jenkinsci.plugins.pipeline.maven.util.XmlUtils;
 import org.jenkinsci.plugins.workflow.steps.StepContext;
 import org.w3c.dom.Element;
 import org.xml.sax.SAXException;
 
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.OutputStream;
 import java.io.PrintWriter;
 import java.io.Serializable;
 import java.util.AbstractMap;
 import java.util.ArrayList;
-import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Objects;
 import java.util.concurrent.TimeUnit;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.stream.Collectors;
 
 import javax.annotation.Nonnull;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -78,7 +76,38 @@ public void processMavenSpyLogs(@Nonnull StepContext context, @Nonnull FilePath
 
         DocumentBuilder documentBuilder;
         try {
-            documentBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+
+            // https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j
+            dbf.setExpandEntityReferences(false);
+            dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+
+            // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all
+            // XML entity attacks are prevented
+            // Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
+            dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+
+            // If you can't completely disable DTDs, then at least do the following:
+            // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities
+            // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities
+            // JDK7+ - http://xml.org/sax/features/external-general-entities
+            dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+
+            // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities
+            // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities
+            // JDK7+ - http://xml.org/sax/features/external-parameter-entities
+            dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+
+            // Disable external DTDs as well
+            dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+
+            // and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks"
+            dbf.setXIncludeAware(false);
+
+            documentBuilder = dbf.newDocumentBuilder();
+
+            // See https://github.com/jenkinsci/jenkins/blob/jenkins-2.176/core/src/main/java/jenkins/util/xml/XMLUtils.java#L114
+            documentBuilder.setEntityResolver(XmlUtils.RestrictiveEntityResolver.INSTANCE);
         } catch (ParserConfigurationException e) {
             throw new IllegalStateException("Failure to create a DocumentBuilder", e);
         }
  • jenkins-plugin/src/main/java/org/jenkinsci/plugins/pipeline/maven/util/XmlUtils.java+27 0 modified
    @@ -33,8 +33,12 @@
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
 
 import java.io.File;
+import java.io.IOException;
 import java.io.StringWriter;
 import java.nio.file.Path;
 import java.util.ArrayList;
@@ -510,4 +514,27 @@ public static List<MavenArtifact> listGeneratedArtifacts(Element mavenSpyLogs, b
 
         return result;
     }
+
+    /**
+     * Copy {@link jenkins.util.xml.RestrictiveEntityResolver} as it is secured by {@link org.kohsuke.accmod.restrictions.NoExternalUse}.
+     *
+     * @see jenkins.util.xml.RestrictiveEntityResolver
+     */
+    public final static class RestrictiveEntityResolver implements EntityResolver {
+
+        public final static RestrictiveEntityResolver INSTANCE = new RestrictiveEntityResolver();
+
+        private RestrictiveEntityResolver() {
+            // prevent multiple instantiation.
+            super();
+        }
+
+        /**
+         * Throws a SAXException if this tried to resolve any entity.
+         */
+        @Override
+        public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
+            throw new SAXException("Refusing to resolve entity with publicId(" + publicId + ") and systemId (" + systemId + ")");
+        }
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.