CVE-2019-10309

Name of the Vulnerable Software and Affected Versions Jenkins Swarm Plugin (affected versions not specified)

Description The issue concerns the Jenkins Swarm Plugin, which allows clients to auto-discover Jenkins instances on the same network through a UDP discovery request. The responses to this request are XML documents. However, the Swarm Plugin does not prevent XML External Entity (XXE) processing when processing these responses. This allows unauthorized attackers on the same network to read arbitrary files from Swarm clients or conduct denial-of-service attacks by having Swarm clients parse a maliciously crafted XML response.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.