Vulnerability Details CVE-2019-1003011
An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 68.1%
CVSS Severity
CVSS v3 Score 8.1
CVSS v2 Score 5.5
References
- https://access.redhat.com/errata/RHBA-2019:0326
- https://access.redhat.com/errata/RHBA-2019:0327
- https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102
- https://access.redhat.com/errata/RHBA-2019:0326
- https://access.redhat.com/errata/RHBA-2019:0327
- https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102
Products affected by CVE-2019-1003011
-
cpe:2.3:a:jenkins:token_macro:1.0
-
cpe:2.3:a:jenkins:token_macro:1.1
-
cpe:2.3:a:jenkins:token_macro:1.10
-
cpe:2.3:a:jenkins:token_macro:1.11
-
cpe:2.3:a:jenkins:token_macro:1.12
-
cpe:2.3:a:jenkins:token_macro:1.12.1
-
cpe:2.3:a:jenkins:token_macro:1.13
-
cpe:2.3:a:jenkins:token_macro:1.2
-
cpe:2.3:a:jenkins:token_macro:1.3
-
cpe:2.3:a:jenkins:token_macro:1.4
-
cpe:2.3:a:jenkins:token_macro:1.5
-
cpe:2.3:a:jenkins:token_macro:1.5.1
-
cpe:2.3:a:jenkins:token_macro:1.6
-
cpe:2.3:a:jenkins:token_macro:1.7
-
cpe:2.3:a:jenkins:token_macro:1.8
-
cpe:2.3:a:jenkins:token_macro:1.8.1
-
cpe:2.3:a:jenkins:token_macro:1.9
-
cpe:2.3:a:jenkins:token_macro:2.0
-
cpe:2.3:a:jenkins:token_macro:2.1
-
cpe:2.3:a:jenkins:token_macro:2.2
-
cpe:2.3:a:jenkins:token_macro:2.3
-
cpe:2.3:a:jenkins:token_macro:2.4
-
cpe:2.3:a:jenkins:token_macro:2.5
-
cpe:2.3:a:redhat:openshift_container_platform:3.11