Vulnerability Description
An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Token Macro | <= 2.5 |
| Redhat | Openshift Container Platform | 3.11 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHBA-2019:0326Third Party Advisory
- https://access.redhat.com/errata/RHBA-2019:0327Third Party Advisory
- https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102Vendor Advisory
- https://access.redhat.com/errata/RHBA-2019:0326Third Party Advisory
- https://access.redhat.com/errata/RHBA-2019:0327Third Party Advisory
- https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102Vendor Advisory
FAQ
What is CVE-2019-1003011?
CVE-2019-1003011 is a vulnerability with a CVSS score of 8.1 (HIGH). An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkin...
How severe is CVE-2019-1003011?
CVE-2019-1003011 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-1003011?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Token Macro, Redhat Openshift Container Platform.