Jenkins Token Macro Plugin before version 2.6 recursively applied token expansion. This could be used by users able to affect input to token expansion (such as change log messages), to inject additional tokens into the input, which would then be expanded, resulting in information disclosure (for example values of environment variables), or denial of service. Most tokens have been changed to no longer recursively apply token expansion External Reference: https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102 Upstream patches: https://github.com/jenkinsci/token-macro-plugin/commit/70163600031ea8d43833e6eea928f8fa2e44f96a
openshift-enterprise 3.6-3.11 inclusive: affected Once openshift3/jenkins-1-rhel7, openshift3/jenkins-2-rhel7, openshift3/jenkins-slave-base-rhel7 container images have been released with these fixes, users of all versions of openshift-enterprise-3.2+ are encouraged to update these container images in their environment.