CVE-2018-1000193

Published: Jun 5, 2018Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Affected (3)

Products: Jenkins: Jenkins · Oracle: Communications Cloud Native Core Automated Test Suite

1 product

1 product

Communications Cloud Native Core Automated Test Suite

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jenkins Jenkins	Up to 2.120

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Jenkins Jenkins	Up to 2.107.2

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Oracle Communications Cloud Native Core Automated Test Suite	Version 1.9.0

Related CWEs

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (4)

https://jenkins.io/security/advisory/2018-05-09/#SECURITY-786

Source: cve@mitre.org

Vendor Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: cve@mitre.org

PatchThird Party Advisory

https://jenkins.io/security/advisory/2018-05-09/#SECURITY-786

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.