Andy Caldwell

Name of the Vulnerable Software and Affected Versions: Jenkins Token Macro Plugin versions 2.5 and earlier Description: An information exposure and denial of service issue exists that allows attackers with the ability to control token macro input to define recursive input, resulting in unexpected macro evaluation. This could be used by users able to affect input to token expansion, such as change log messages, to inject additional tokens into the input, which would then be expanded, resulting in information disclosure, for example, values of environment variables, or denial of service. Recommendations: For Jenkins Token Macro Plugin versions 2.5 and earlier, update to a version where most tokens have been changed to no longer recursively apply token expansion to prevent information disclosure and denial of service. As a temporary workaround, consider restricting the ability to control token macro input to minimize the risk of exploitation.