Allele Security Alert
ASA-2019-00094, SECURITY-1102, CVE-2019-1003011
Recursive token expansion results in information disclosure and DoS in Token Macro Plugin
Token Macro Plugin up to and including 2.5
Token Macro Plugin version 2.6
Proof of concept
This could be used by users able to affect input to token expansion (such as change log messages), to inject additional tokens into the input, which would then be expanded, resulting in information disclosure (for example values of environment variables), or denial of service.
Andy Caldwell (Metaswitch Networks) and Chris Swindle (Metaswitch Networks)
Jenkins Security Advisory 2019-01-28
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019