This could be used by users able to affect input to token expansion (such as change log messages), to inject additional tokens into the input, which would then be expanded, resulting in information disclosure (for example values of environment variables), or denial of service.

Most tokens have been changed to no longer recursively apply token expansion.

Affected Packages

Maven org.jenkins-ci.plugins:token-macro

Affected versions: 0 (fixed in 2.6)

Related CVEs

CVE-2019-1003011

Key Information

GHSA ID

GHSA-23h9-m55m-c5jp

Published

May 13, 2022 1:15 AM

Last Modified

October 25, 2023 11:16 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:token-macro

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.