[MAVEN:GHSA-7592-93RM-6GPX] Injection in Jenkins

Severity Moderate

Affected Packages 2

Fixed Packages 2

CVEs 1

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Package	Affected Version
pkg:maven/org.jenkins-ci.main/jenkins-core	>= 2.108, <= 2.120
pkg:maven/org.jenkins-ci.main/jenkins-core	<= 2.107.2

Package	Fixed Version
pkg:maven/org.jenkins-ci.main/jenkins-core	= 2.121
pkg:maven/org.jenkins-ci.main/jenkins-core	= 2.107.3

ID

MAVEN:GHSA-7592-93RM-6GPX

Severity

moderate

URL

https://github.com/advisories/GHSA-7592-93rm-6gpx

Published

2022-05-13T01:01:02
(2 years ago)

Modified

2023-01-27T05:02:05
(20 months ago)

Rights

Maven Security Team

Other Advisories

JENKINS:SECURITY-786

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2018-1000193
			https://jenkins.io/security/advisory/2018-05-09/#SECURITY-786
			https://www.oracle.com/security-alerts/cpuapr2022.html
			https://github.com/jenkinsci/jenkins/commit/de7aaab441151fb1760855fec83681c6a8756a45
			https://github.com/advisories/GHSA-7592-93rm-6gpx

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	>= 2.108 <= 2.120
Fixed	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	= 2.121
Affected	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	<= 2.107.2
Fixed	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	= 2.107.3

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date