Bug 1670296 (CVE-2019-1003011) - CVE-2019-1003011 jenkins-plugin-token-macro: Recursive token expansion results in information disclosure and DoS in Token Macro Plugin (SECURITY-1102)
Summary: CVE-2019-1003011 jenkins-plugin-token-macro: Recursive token expansion result...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-1003011
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1671469 1671470
Blocks: 1670285
TreeView+ depends on / blocked
 
Reported: 2019-01-29 07:50 UTC by Sam Fowler
Modified: 2021-10-27 03:24 UTC (History)
18 users (show)

Fixed In Version: jenkins-plugin-token-macro 2.6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-27 03:24:23 UTC
Embargoed:


Attachments (Terms of Use)

Description Sam Fowler 2019-01-29 07:50:34 UTC
Jenkins Token Macro Plugin before version 2.6 recursively applied token expansion.

This could be used by users able to affect input to token expansion (such as change log messages), to inject additional tokens into the input, which would then be expanded, resulting in information disclosure (for example values of environment variables), or denial of service.

Most tokens have been changed to no longer recursively apply token expansion


External Reference:

https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102

Upstream patches:

https://github.com/jenkinsci/token-macro-plugin/commit/70163600031ea8d43833e6eea928f8fa2e44f96a

Comment 1 Paul Harvey 2019-02-04 06:27:08 UTC
openshift-enterprise 3.6-3.11 inclusive: affected

Once openshift3/jenkins-1-rhel7, openshift3/jenkins-2-rhel7, openshift3/jenkins-slave-base-rhel7 container images have been released with these fixes, users of all versions of openshift-enterprise-3.2+ are encouraged to update these container images in their environment.


Note You need to log in before you can comment on or make changes to this bug.