Bug 1670296 (CVE-2019-1003011)

Summary: CVE-2019-1003011 jenkins-plugin-token-macro: Recursive token expansion results in information disclosure and DoS in Token Macro Plugin (SECURITY-1102)
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abenaiss, ahardin, aos-bugs, bleanhar, bmontgom, ccoleman, dedgar, eparis, jburrell, jgoulding, jokerman, mchappel, mmccomas, nstielau, obulatov, pbhattac, sponnaga, wzheng
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jenkins-plugin-token-macro 2.6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 03:24:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1671469, 1671470    
Bug Blocks: 1670285    

Description Sam Fowler 2019-01-29 07:50:34 UTC 
Jenkins Token Macro Plugin before version 2.6 recursively applied token expansion.

This could be used by users able to affect input to token expansion (such as change log messages), to inject additional tokens into the input, which would then be expanded, resulting in information disclosure (for example values of environment variables), or denial of service.

Most tokens have been changed to no longer recursively apply token expansion


External Reference:

https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102

Upstream patches:

https://github.com/jenkinsci/token-macro-plugin/commit/70163600031ea8d43833e6eea928f8fa2e44f96a
Comment 1 Paul Harvey 2019-02-04 06:27:08 UTC 
openshift-enterprise 3.6-3.11 inclusive: affected

Once openshift3/jenkins-1-rhel7, openshift3/jenkins-2-rhel7, openshift3/jenkins-slave-base-rhel7 container images have been released with these fixes, users of all versions of openshift-enterprise-3.2+ are encouraged to update these container images in their environment.