The embeddable build status plugin accepts parameters as part of the subject argument and then will replace those parameters with the expanded value of the argument. Allowed parameters include:

• buildId
• buildNumber
• displayName
• description
• duration
• startTime

A few of those parameters have content that a Jenkins user with sufficient permission can modify. For example, the "Edit build information" link on individual jobs will allow a Jenkins user to modify the displayName and the description of that build.

If the value of the build description includes the word "description", embeddable build status plugin releases prior to 304.vdcf48d6b_d2eb will attempt to create a string that continually tries to replace every occurrence of the word "description" in the string with the full string.

Expected Behavior

Embeddable build status URLs that have a subject with a description parameter where the value of the build description includes the word "description" should only replace the parameter in the string with its value.

Actual Behavior

Embeddable build status URLs that have a subject with a description parameter where the value of the build description includes the word "description" never return from the HTTP request and are likely using lots of memory on the Jenkins controller until the processing of that request fails.