CVE-2019-1003011

HIGH

8.1

Description

An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation.

CVE Details

CVSS v3.1 Score8.1

SeverityHIGH

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredLOW

User InteractionNONE

Published2/6/2019

Last Modified11/21/2024

Sourcenvd

Honeypot Sightings0

Affected Products

jenkins:token_macroredhat:openshift_container_platform

Weaknesses (CWE)

CWE-674

References

https://access.redhat.com/errata/RHBA-2019:0326(jenkinsci-cert@googlegroups.com)

https://access.redhat.com/errata/RHBA-2019:0327(jenkinsci-cert@googlegroups.com)

https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102(jenkinsci-cert@googlegroups.com)

https://access.redhat.com/errata/RHBA-2019:0326(af854a3a-2127-422b-91ae-364da2661108)

https://access.redhat.com/errata/RHBA-2019:0327(af854a3a-2127-422b-91ae-364da2661108)

https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.