CVE-2019-1003011 - Vulnerability Details

Vendors	Products
Jenkins	Token Macro
Redhat	Openshift Openshift Container Platform

Package	CPE	Advisory	Released Date
Red Hat OpenShift Container Platform 3.11
atomic-enterprise-service-catalog-1:3.11.82-1.git.1673.133961e.el7	cpe:/a:redhat:openshift:3.11::el7	RHBA-2019:0326	2019-02-20T00:00:00Z
atomic-openshift-0:3.11.82-1.git.0.08bc31b.el7	cpe:/a:redhat:openshift:3.11::el7	RHBA-2019:0326	2019-02-20T00:00:00Z
atomic-openshift-cluster-autoscaler-0:3.11.82-1.git.0.efb6af0.el7	cpe:/a:redhat:openshift:3.11::el7	RHBA-2019:0326	2019-02-20T00:00:00Z
atomic-openshift-descheduler-0:3.11.82-1.git.300.89765c9.el7	cpe:/a:redhat:openshift:3.11::el7	RHBA-2019:0326	2019-02-20T00:00:00Z
atomic-openshift-dockerregistry-0:3.11.82-1.git.452.0ce6383.el7	cpe:/a:redhat:openshift:3.11::el7	RHBA-2019:0326	2019-02-20T00:00:00Z
atomic-openshift-metrics-server-0:3.11.82-1.git.52.2fdca3f.el7	cpe:/a:redhat:openshift:3.11::el7	RHBA-2019:0326	2019-02-20T00:00:00Z
atomic-openshift-node-problem-detector-0:3.11.82-1.git.254.a448936.el7	cpe:/a:redhat:openshift:3.11::el7	RHBA-2019:0326	2019-02-20T00:00:00Z
atomic-openshift-service-idler-0:3.11.82-1.git.14.e353758.el7	cpe:/a:redhat:openshift:3.11::el7	RHBA-2019:0326	2019-02-20T00:00:00Z
atomic-openshift-web-console-0:3.11.82-1.git.355.5e8b1d9.el7	cpe:/a:redhat:openshift:3.11::el7	RHBA-2019:0326	2019-02-20T00:00:00Z
golang-github-openshift-oauth-proxy-0:3.11.82-1.git.425.7cac034.el7	cpe:/a:redhat:openshift:3.11::el7	RHBA-2019:0326	2019-02-20T00:00:00Z
golang-github-prometheus-alertmanager-0:3.11.82-1.git.0.3bf41ce.el7	cpe:/a:redhat:openshift:3.11::el7	RHBA-2019:0326	2019-02-20T00:00:00Z
golang-github-prometheus-node_exporter-0:3.11.82-1.git.1063.48444e8.el7	cpe:/a:redhat:openshift:3.11::el7	RHBA-2019:0326	2019-02-20T00:00:00Z
golang-github-prometheus-prometheus-0:3.11.82-1.git.5027.9d24833.el7	cpe:/a:redhat:openshift:3.11::el7	RHBA-2019:0326	2019-02-20T00:00:00Z
haproxy-0:1.8.17-3.el7	cpe:/a:redhat:openshift:3.11::el7	RHBA-2019:0326	2019-02-20T00:00:00Z
jenkins-0:2.150.2.1549032159-1.el7	cpe:/a:redhat:openshift:3.11::el7	RHBA-2019:0326	2019-02-20T00:00:00Z
jenkins-2-plugins-0:3.11.1549642489-1.el7	cpe:/a:redhat:openshift:3.11::el7	RHBA-2019:0326	2019-02-20T00:00:00Z
openshift-ansible-0:3.11.82-3.git.0.9718d0a.el7	cpe:/a:redhat:openshift:3.11::el7	RHBA-2019:0326	2019-02-20T00:00:00Z
openshift-enterprise-autoheal-0:3.11.82-1.git.219.0b5aff4.el7	cpe:/a:redhat:openshift:3.11::el7	RHBA-2019:0326	2019-02-20T00:00:00Z
openshift-enterprise-cluster-capacity-0:3.11.82-1.git.380.cf11c51.el7	cpe:/a:redhat:openshift:3.11::el7	RHBA-2019:0326	2019-02-20T00:00:00Z

Link	Providers
https://access.redhat.com/errata/RHBA-2019:0326
https://access.redhat.com/errata/RHBA-2019:0327
https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102
https://nvd.nist.gov/vuln/detail/CVE-2019-1003011
https://www.cve.org/CVERecord?id=CVE-2019-1003011

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "Jenkins Token Macro Plugin", "vendor": "Jenkins project", "versions": [{"status": "affected", "version": "2.5 and earlier"}]}], "dateAssigned": "2019-02-06T00:00:00", "datePublic": "2019-01-28T00:00:00", "descriptions": [{"lang": "en", "value": "An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T16:44:42.864Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102"}, {"name": "RHBA-2019:0326", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHBA-2019:0326"}, {"name": "RHBA-2019:0327", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHBA-2019:0327"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "DATE_ASSIGNED": "2019-02-06T02:59:03.175229", "ID": "CVE-2019-1003011", "REQUESTER": "ml@beckweb.net", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins Token Macro Plugin", "version": {"version_data": [{"version_value": "2.5 and earlier"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200, CWE-674"}]}]}, "references": {"reference_data": [{"name": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102"}, {"name": "RHBA-2019:0326", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHBA-2019:0326"}, {"name": "RHBA-2019:0327", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHBA-2019:0327"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:00:19.329Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102"}, {"name": "RHBA-2019:0326", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHBA-2019:0326"}, {"name": "RHBA-2019:0327", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHBA-2019:0327"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2019-1003011", "datePublished": "2019-02-06T16:00:00", "dateReserved": "2019-02-06T00:00:00", "dateUpdated": "2024-08-05T03:00:19.329Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : Jenkins Token Macro Plugin (string)

vendor : Jenkins project (string)

versions : [ »

0 : { »

status : affected (string)

version : 2.5 and earlier (string)

}

]

}

]

dateAssigned : 2019-02-06T00:00:00 (string)

datePublic : 2019-01-28T00:00:00 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation. (string)

}

]

providerMetadata : { »

orgId : 39769cd5-e6e2-4dc8-927e-97b3aa056f5b (string)

shortName : jenkins (string)

dateUpdated : 2023-10-24T16:44:42.864Z (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102 (string)

}

1 : { »

name : RHBA-2019:0326 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

]

url : https://access.redhat.com/errata/RHBA-2019:0326 (string)

}

2 : { »

name : RHBA-2019:0327 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

]

url : https://access.redhat.com/errata/RHBA-2019:0327 (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : jenkinsci-cert@googlegroups.com (string)

DATE_ASSIGNED : 2019-02-06T02:59:03.175229 (string)

ID : CVE-2019-1003011 (string)

REQUESTER : ml@beckweb.net (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : Jenkins Token Macro Plugin (string)

version : { »

version_data : [ »

0 : { »

version_value : 2.5 and earlier (string)

}

]

}

]

}

vendor_name : Jenkins project (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : CWE-200, CWE-674 (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102 (string)

refsource : CONFIRM (string)

url : https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102 (string)

}

1 : { »

name : RHBA-2019:0326 (string)

refsource : REDHAT (string)

url : https://access.redhat.com/errata/RHBA-2019:0326 (string)

}

2 : { »

name : RHBA-2019:0327 (string)

refsource : REDHAT (string)

url : https://access.redhat.com/errata/RHBA-2019:0327 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-05T03:00:19.329Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102 (string)

}

1 : { »

name : RHBA-2019:0326 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

2 : x_transferred (string)

]

url : https://access.redhat.com/errata/RHBA-2019:0326 (string)

}

2 : { »

name : RHBA-2019:0327 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_REDHAT (string)

2 : x_transferred (string)

]

url : https://access.redhat.com/errata/RHBA-2019:0327 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 39769cd5-e6e2-4dc8-927e-97b3aa056f5b (string)

assignerShortName : jenkins (string)

cveId : CVE-2019-1003011 (string)

datePublished : 2019-02-06T16:00:00 (string)

dateReserved : 2019-02-06T00:00:00 (string)

dateUpdated : 2024-08-05T03:00:19.329Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:token_macro:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "4798BE21-A4AD-4B21-A194-0184FB2C076C", "versionEndIncluding": "2.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*", "matchCriteriaId": "2F87326E-0B56-4356-A889-73D026DB1D4B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation."}, {"lang": "es", "value": "Existe una vulnerabilidad de exposici\u00f3n de informaci\u00f3n en Jenkins Token Macro Plugin, en versiones 2.5 y anteriores, en src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java y src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java, que permite que los atacantes con la capacidad de controlar entradas de macros de tokens (como los registros de cambios de SCM) definan entradas recursivas que resultan en una evaluaci\u00f3n inesperada de las macros."}], "id": "CVE-2019-1003011", "lastModified": "2024-11-21T04:17:44.177", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-02-06T16:29:00.623", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHBA-2019:0326"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHBA-2019:0327"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHBA-2019:0326"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHBA-2019:0327"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:jenkins:token_macro:*:*:*:*:*:jenkins:*:* (string)

matchCriteriaId : 4798BE21-A4AD-4B21-A194-0184FB2C076C (string)

versionEndIncluding : 2.5 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

1 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:* (string)

matchCriteriaId : 2F87326E-0B56-4356-A889-73D026DB1D4B (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation. (string)

}

1 : { »

lang : es (string)

value : Existe una vulnerabilidad de exposición de información en Jenkins Token Macro Plugin, en versiones 2.5 y anteriores, en src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java y src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java, que permite que los atacantes con la capacidad de controlar entradas de macros de tokens (como los registros de cambios de SCM) definan entradas recursivas que resultan en una evaluación inesperada de las macros. (string)

}

]

id : CVE-2019-1003011 (string)

lastModified : 2024-11-21T04:17:44.177 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : SINGLE (string)

availabilityImpact : PARTIAL (string)

baseScore : 5.5 (number)

confidentialityImpact : PARTIAL (string)

integrityImpact : NONE (string)

vectorString : AV:N/AC:L/Au:S/C:P/I:N/A:P (string)

version : 2.0 (string)

}

exploitabilityScore : 8 (number)

impactScore : 4.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 8.1 (number)

baseSeverity : HIGH (string)

confidentialityImpact : HIGH (string)

integrityImpact : NONE (string)

privilegesRequired : LOW (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H (string)

version : 3.1 (string)

}

exploitabilityScore : 2.8 (number)

impactScore : 5.2 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2019-02-06T16:29:00.623 (string)

references : [ »

0 : { »

source : jenkinsci-cert@googlegroups.com (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://access.redhat.com/errata/RHBA-2019:0326 (string)

}

1 : { »

source : jenkinsci-cert@googlegroups.com (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://access.redhat.com/errata/RHBA-2019:0327 (string)

}

2 : { »

source : jenkinsci-cert@googlegroups.com (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102 (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://access.redhat.com/errata/RHBA-2019:0326 (string)

}

4 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://access.redhat.com/errata/RHBA-2019:0327 (string)

}

5 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102 (string)

}

]

sourceIdentifier : jenkinsci-cert@googlegroups.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-674 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Show plain JSON

{"affected_release": [{"advisory": "RHBA-2019:0326", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-enterprise-service-catalog-1:3.11.82-1.git.1673.133961e.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-02-20T00:00:00Z"}, {"advisory": "RHBA-2019:0326", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-openshift-0:3.11.82-1.git.0.08bc31b.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-02-20T00:00:00Z"}, {"advisory": "RHBA-2019:0326", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-openshift-cluster-autoscaler-0:3.11.82-1.git.0.efb6af0.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-02-20T00:00:00Z"}, {"advisory": "RHBA-2019:0326", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-openshift-descheduler-0:3.11.82-1.git.300.89765c9.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-02-20T00:00:00Z"}, {"advisory": "RHBA-2019:0326", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-openshift-dockerregistry-0:3.11.82-1.git.452.0ce6383.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-02-20T00:00:00Z"}, {"advisory": "RHBA-2019:0326", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-openshift-metrics-server-0:3.11.82-1.git.52.2fdca3f.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-02-20T00:00:00Z"}, {"advisory": "RHBA-2019:0326", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-openshift-node-problem-detector-0:3.11.82-1.git.254.a448936.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-02-20T00:00:00Z"}, {"advisory": "RHBA-2019:0326", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-openshift-service-idler-0:3.11.82-1.git.14.e353758.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-02-20T00:00:00Z"}, {"advisory": "RHBA-2019:0326", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-openshift-web-console-0:3.11.82-1.git.355.5e8b1d9.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-02-20T00:00:00Z"}, {"advisory": "RHBA-2019:0326", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "golang-github-openshift-oauth-proxy-0:3.11.82-1.git.425.7cac034.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-02-20T00:00:00Z"}, {"advisory": "RHBA-2019:0326", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "golang-github-prometheus-alertmanager-0:3.11.82-1.git.0.3bf41ce.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-02-20T00:00:00Z"}, {"advisory": "RHBA-2019:0326", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "golang-github-prometheus-node_exporter-0:3.11.82-1.git.1063.48444e8.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-02-20T00:00:00Z"}, {"advisory": "RHBA-2019:0326", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "golang-github-prometheus-prometheus-0:3.11.82-1.git.5027.9d24833.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-02-20T00:00:00Z"}, {"advisory": "RHBA-2019:0326", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "haproxy-0:1.8.17-3.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-02-20T00:00:00Z"}, {"advisory": "RHBA-2019:0326", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "jenkins-0:2.150.2.1549032159-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-02-20T00:00:00Z"}, {"advisory": "RHBA-2019:0326", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "jenkins-2-plugins-0:3.11.1549642489-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-02-20T00:00:00Z"}, {"advisory": "RHBA-2019:0326", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift-ansible-0:3.11.82-3.git.0.9718d0a.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-02-20T00:00:00Z"}, {"advisory": "RHBA-2019:0326", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift-enterprise-autoheal-0:3.11.82-1.git.219.0b5aff4.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-02-20T00:00:00Z"}, {"advisory": "RHBA-2019:0326", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "openshift-enterprise-cluster-capacity-0:3.11.82-1.git.380.cf11c51.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2019-02-20T00:00:00Z"}], "bugzilla": {"description": "jenkins-plugin-token-macro: Recursive token expansion results in information disclosure and DoS in Token Macro Plugin (SECURITY-1102)", "id": "1670296", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1670296"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "status": "verified"}, "cwe": "CWE-96", "details": ["An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation."], "name": "CVE-2019-1003011", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.10", "fix_state": "Will not fix", "package_name": "jenkins-plugin-token-macro", "product_name": "Red Hat OpenShift Container Platform 3.10"}, {"cpe": "cpe:/a:redhat:openshift:3.6", "fix_state": "Will not fix", "package_name": "jenkins-plugin-token-macro", "product_name": "Red Hat OpenShift Container Platform 3.6"}, {"cpe": "cpe:/a:redhat:openshift:3.7", "fix_state": "Will not fix", "package_name": "jenkins-plugin-token-macro", "product_name": "Red Hat OpenShift Container Platform 3.7"}, {"cpe": "cpe:/a:redhat:openshift:3.9", "fix_state": "Will not fix", "package_name": "jenkins-plugin-token-macro", "product_name": "Red Hat OpenShift Container Platform 3.9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2019-01-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-1003011\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-1003011\nhttps://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102"], "threat_severity": "Moderate"}

{

affected_release : [ »

0 : { »

advisory : RHBA-2019:0326 (string)

cpe : cpe:/a:redhat:openshift:3.11::el7 (string)

package : atomic-enterprise-service-catalog-1:3.11.82-1.git.1673.133961e.el7 (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

release_date : 2019-02-20T00:00:00Z (string)

}

1 : { »

advisory : RHBA-2019:0326 (string)

cpe : cpe:/a:redhat:openshift:3.11::el7 (string)

package : atomic-openshift-0:3.11.82-1.git.0.08bc31b.el7 (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

release_date : 2019-02-20T00:00:00Z (string)

}

2 : { »

advisory : RHBA-2019:0326 (string)

cpe : cpe:/a:redhat:openshift:3.11::el7 (string)

package : atomic-openshift-cluster-autoscaler-0:3.11.82-1.git.0.efb6af0.el7 (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

release_date : 2019-02-20T00:00:00Z (string)

}

3 : { »

advisory : RHBA-2019:0326 (string)

cpe : cpe:/a:redhat:openshift:3.11::el7 (string)

package : atomic-openshift-descheduler-0:3.11.82-1.git.300.89765c9.el7 (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

release_date : 2019-02-20T00:00:00Z (string)

}

4 : { »

advisory : RHBA-2019:0326 (string)

cpe : cpe:/a:redhat:openshift:3.11::el7 (string)

package : atomic-openshift-dockerregistry-0:3.11.82-1.git.452.0ce6383.el7 (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

release_date : 2019-02-20T00:00:00Z (string)

}

5 : { »

advisory : RHBA-2019:0326 (string)

cpe : cpe:/a:redhat:openshift:3.11::el7 (string)

package : atomic-openshift-metrics-server-0:3.11.82-1.git.52.2fdca3f.el7 (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

release_date : 2019-02-20T00:00:00Z (string)

}

6 : { »

advisory : RHBA-2019:0326 (string)

cpe : cpe:/a:redhat:openshift:3.11::el7 (string)

package : atomic-openshift-node-problem-detector-0:3.11.82-1.git.254.a448936.el7 (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

release_date : 2019-02-20T00:00:00Z (string)

}

7 : { »

advisory : RHBA-2019:0326 (string)

cpe : cpe:/a:redhat:openshift:3.11::el7 (string)

package : atomic-openshift-service-idler-0:3.11.82-1.git.14.e353758.el7 (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

release_date : 2019-02-20T00:00:00Z (string)

}

8 : { »

advisory : RHBA-2019:0326 (string)

cpe : cpe:/a:redhat:openshift:3.11::el7 (string)

package : atomic-openshift-web-console-0:3.11.82-1.git.355.5e8b1d9.el7 (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

release_date : 2019-02-20T00:00:00Z (string)

}

9 : { »

advisory : RHBA-2019:0326 (string)

cpe : cpe:/a:redhat:openshift:3.11::el7 (string)

package : golang-github-openshift-oauth-proxy-0:3.11.82-1.git.425.7cac034.el7 (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

release_date : 2019-02-20T00:00:00Z (string)

}

10 : { »

advisory : RHBA-2019:0326 (string)

cpe : cpe:/a:redhat:openshift:3.11::el7 (string)

package : golang-github-prometheus-alertmanager-0:3.11.82-1.git.0.3bf41ce.el7 (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

release_date : 2019-02-20T00:00:00Z (string)

}

11 : { »

advisory : RHBA-2019:0326 (string)

cpe : cpe:/a:redhat:openshift:3.11::el7 (string)

package : golang-github-prometheus-node_exporter-0:3.11.82-1.git.1063.48444e8.el7 (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

release_date : 2019-02-20T00:00:00Z (string)

}

12 : { »

advisory : RHBA-2019:0326 (string)

cpe : cpe:/a:redhat:openshift:3.11::el7 (string)

package : golang-github-prometheus-prometheus-0:3.11.82-1.git.5027.9d24833.el7 (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

release_date : 2019-02-20T00:00:00Z (string)

}

13 : { »

advisory : RHBA-2019:0326 (string)

cpe : cpe:/a:redhat:openshift:3.11::el7 (string)

package : haproxy-0:1.8.17-3.el7 (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

release_date : 2019-02-20T00:00:00Z (string)

}

14 : { »

advisory : RHBA-2019:0326 (string)

cpe : cpe:/a:redhat:openshift:3.11::el7 (string)

package : jenkins-0:2.150.2.1549032159-1.el7 (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

release_date : 2019-02-20T00:00:00Z (string)

}

15 : { »

advisory : RHBA-2019:0326 (string)

cpe : cpe:/a:redhat:openshift:3.11::el7 (string)

package : jenkins-2-plugins-0:3.11.1549642489-1.el7 (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

release_date : 2019-02-20T00:00:00Z (string)

}

16 : { »

advisory : RHBA-2019:0326 (string)

cpe : cpe:/a:redhat:openshift:3.11::el7 (string)

package : openshift-ansible-0:3.11.82-3.git.0.9718d0a.el7 (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

release_date : 2019-02-20T00:00:00Z (string)

}

17 : { »

advisory : RHBA-2019:0326 (string)

cpe : cpe:/a:redhat:openshift:3.11::el7 (string)

package : openshift-enterprise-autoheal-0:3.11.82-1.git.219.0b5aff4.el7 (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

release_date : 2019-02-20T00:00:00Z (string)

}

18 : { »

advisory : RHBA-2019:0326 (string)

cpe : cpe:/a:redhat:openshift:3.11::el7 (string)

package : openshift-enterprise-cluster-capacity-0:3.11.82-1.git.380.cf11c51.el7 (string)

product_name : Red Hat OpenShift Container Platform 3.11 (string)

release_date : 2019-02-20T00:00:00Z (string)

}

]

bugzilla : { »

description : jenkins-plugin-token-macro: Recursive token expansion results in information disclosure and DoS in Token Macro Plugin (SECURITY-1102) (string)

id : 1670296 (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=1670296 (string)

}

csaw : false (boolean)

cvss3 : { »

cvss3_base_score : 7.1 (string)

cvss3_scoring_vector : CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H (string)

status : verified (string)

}

cwe : CWE-96 (string)

details : [ »

0 : An information exposure and denial of service vulnerability exists in Jenkins Token Macro Plugin 2.5 and earlier in src/main/java/org/jenkinsci/plugins/tokenmacro/Parser.java, src/main/java/org/jenkinsci/plugins/tokenmacro/TokenMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/AbstractChangesSinceMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ChangesSinceLastBuildMacro.java, src/main/java/org/jenkinsci/plugins/tokenmacro/impl/ProjectUrlMacro.java that allows attackers with the ability to control token macro input (such as SCM changelogs) to define recursive input that results in unexpected macro evaluation. (string)

]

name : CVE-2019-1003011 (string)

package_state : [ »

0 : { »

cpe : cpe:/a:redhat:openshift:3.10 (string)

fix_state : Will not fix (string)

package_name : jenkins-plugin-token-macro (string)

product_name : Red Hat OpenShift Container Platform 3.10 (string)

}

1 : { »

cpe : cpe:/a:redhat:openshift:3.6 (string)

fix_state : Will not fix (string)

package_name : jenkins-plugin-token-macro (string)

product_name : Red Hat OpenShift Container Platform 3.6 (string)

}

2 : { »

cpe : cpe:/a:redhat:openshift:3.7 (string)

fix_state : Will not fix (string)

package_name : jenkins-plugin-token-macro (string)

product_name : Red Hat OpenShift Container Platform 3.7 (string)

}

3 : { »

cpe : cpe:/a:redhat:openshift:3.9 (string)

fix_state : Will not fix (string)

package_name : jenkins-plugin-token-macro (string)

product_name : Red Hat OpenShift Container Platform 3.9 (string)

}

4 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Affected (string)

package_name : jenkins-2-plugins (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

]

public_date : 2019-01-28T00:00:00Z (string)

references : [ »

0 : https://www.cve.org/CVERecord?id=CVE-2019-1003011 https://nvd.nist.gov/vuln/detail/CVE-2019-1003011 https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102 (string)

]

threat_severity : Moderate (string)

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object