CVE-2019-1003011 — Jenkins Token Macro Plugin's recursive token expansion results in information di

Description

Jenkins Token Macro Plugin recursively applied token expansion. This could be used by users able to affect input to token expansion (such as change log messages), to inject additional tokens into the input, which would then be expanded, resulting in information disclosure (for example values of environment variables), or denial of service. Most tokens have been changed to no longer recursively apply token expansion.

How to fix CVE-2019-1003011

To remediate CVE-2019-1003011, upgrade the affected package to a fixed version below.

—upgrade to 2.6 or later

Is CVE-2019-1003011 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-1003011
WEBaccess.redhat.com/errata/RHBA-2019:0326
WEBaccess.redhat.com/errata/RHBA-2019:0327
WEBgithub.com/jenkinsci/token-macro-plugin/commit/70163600031ea8d43833e6eea928f8fa2e44f96a