Miggo Logo

CVE-2019-1003011: Jenkins Token Macro Plugin's recursive token expansion results in information disclosure and DoS

6.5

CVSS Score
3.0

Basic Information

EPSS Score
0.68195%
Published
5/13/2022
Updated
12/15/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:token-macromaven<= 2.52.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from recursive token expansion without depth control. The Parser.processToken() method handled token replacement recursively but lacked a recursion limit prior to the patch, enabling infinite recursion. Additionally, AbstractChangesSinceMacro and ChangesSinceLastBuildMacro's evaluate() methods processed user-controllable format/path parameters through TokenMacro.expandAll() without limiting recursion depth, creating secondary expansion vectors. The commit introduced a MAX_RECURSION_LEVEL check in Parser and removed nested expansion capabilities from these macros, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Tok*n M**ro Plu*in r**ursiv*ly *ppli** tok*n *xp*nsion. T*is *oul* ** us** *y us*rs **l* to *****t input to tok*n *xp*nsion (su** *s ***n** lo* m*ss***s), to inj**t ***ition*l tok*ns into t** input, w*i** woul* t**n ** *xp*n***, r*sultin* in

Reasoning

T** vuln*r**ility st*mm** *rom r**ursiv* tok*n *xp*nsion wit*out **pt* *ontrol. T** P*rs*r.pro**ssTok*n() m*t*o* **n*l** tok*n r*pl***m*nt r**ursiv*ly *ut l**k** * r**ursion limit prior to t** p*t**, *n**lin* in*init* r**ursion. ***ition*lly, **str**