CVE-2019-16549

Name of the Vulnerable Software and Affected Versions Jenkins Maven Release Plugin versions 0.16.1 and earlier

Description The issue allows man-in-the-middle attackers to have Jenkins parse crafted XML documents due to the XML parser not being configured to prevent XML external entity (XXE) attacks. This could be exploited, especially if the URL is not HTTPS, allowing attackers to extract secrets from the Jenkins controller, perform server-side request forgery, or launch denial-of-service attacks. A cross-site request forgery vulnerability is also present due to a connection test form validation method not requiring POST requests.

Recommendations For Jenkins Maven Release Plugin versions 0.16.1 and earlier, update to version 0.16.2, which configures the XML parser to prevent XML external entity (XXE) attacks and requires POST requests for the connection test form validation method to protect against cross-site request forgery attacks.