Allele Security Alert
ASA-2019-00094
Identifier(s)
ASA-2019-00094, SECURITY-1102, CVE-2019-1003011
Title
Recursive token expansion results in information disclosure and DoS in Token Macro Plugin
Vendor(s)
CloudBees, Inc
Product(s)
Jenkins
Affected version(s)
Token Macro Plugin up to and including 2.5
Fixed version(s)
Token Macro Plugin version 2.6
Proof of concept
Unknown
Description
This could be used by users able to affect input to token expansion (such as change log messages), to inject additional tokens into the input, which would then be expanded, resulting in information disclosure (for example values of environment variables), or denial of service.
Technical details
Unknown
Credits
Andy Caldwell (Metaswitch Networks) and Chris Swindle (Metaswitch Networks)
Reference(s)
Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28
Jenkins Plugin
https://plugins.jenkins.io/token-macro
CVE-2019-1003011
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003011
CVE-2019-1003011
https://nvd.nist.gov/vuln/detail/CVE-2019-1003011
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019