CVE-2018-1000193 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=0 <2.107.3 || >=2.108 <2.121

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00551 pctl0.67014

Details

Injection in Jenkins A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Metadata

Created: 2022-05-13T01:01:02Z
Modified: 2022-06-30T17:34:41Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7592-93rm-6gpx/GHSA-7592-93rm-6gpx.json
CWE IDs: ["CWE-74"]
Alternative ID: GHSA-7592-93rm-6gpx
Finding: F184
Auto approve: 1