GHSA-23h9-m55m-c5jp

Опубликовано: 13 мая 2022

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

Jenkins Token Macro Plugin's recursive token expansion results in information disclosure and DoS

Jenkins Token Macro Plugin recursively applied token expansion.

This could be used by users able to affect input to token expansion (such as change log messages), to inject additional tokens into the input, which would then be expanded, resulting in information disclosure (for example values of environment variables), or denial of service.

Most tokens have been changed to no longer recursively apply token expansion.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:token-macro

maven

Затронутые версииВерсия исправления

<= 2.5

2.6

EPSS

Процентиль: 68%

0.00589

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2019-1003011

Дефекты

CWE-674

Связанные уязвимости

CVE-2019-1003011

CVSS3: 7.1

redhat

больше 6 лет назад

An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation.

CVE-2019-1003011

CVSS3: 8.1

nvd

больше 6 лет назад

EPSS

Процентиль: 68%

0.00589

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2019-1003011

Дефекты

CWE-674