{"id":"CVE-2019-10337","details":"An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin 2.7 and earlier allowed attackers able to control a the content of the input file for the \"XML\" macro to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.","aliases":["GHSA-g6h2-4x64-c59x"],"modified":"2026-04-10T04:13:47.339077Z","published":"2019-06-11T14:29:01.057Z","references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/108747"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2019/06/11/1"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:1636"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:1851"},{"type":"ADVISORY","url":"https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1399"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/token-macro-plugin","events":[{"introduced":"0"},{"last_affected":"1c630463aeb77720b0e9c6dedbbacc78ffbec872"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.7"}]}}],"versions":["token-macro-1.0","token-macro-1.1","token-macro-1.10","token-macro-1.13-alpha","token-macro-1.2","token-macro-1.3","token-macro-1.4","token-macro-1.5","token-macro-1.5.1","token-macro-1.6","token-macro-1.7","token-macro-1.8","token-macro-1.8.1","token-macro-1.9","token-macro-2.0","token-macro-2.0-beta","token-macro-2.1","token-macro-2.2","token-macro-2.3","token-macro-2.4","token-macro-2.5","token-macro-2.6","token-macro-2.7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10337.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}