CVE-2018-1000193
Severity Score
4.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.
Existe una vulnerabilidad de neutralización inadecuada de las secuencias de control en Jenkins 2.120 y versiones anteriores y LTS 2.107.2 y versiones anteriores en HudsonPrivateSecurityRealm.java que permite a los usuarios registrarse utilizando nombres de usuario que contienen caracteres de control que pueden parecer tener el mismo nombre que otros usuarios y que no se pueden eliminar a través de la interfaz de usuario.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2018-05-09 CVE Reserved
- 2018-06-05 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com/security-alerts/cpuapr2022.html | 2022-06-13 |
| URL | Date | SRC |
|---|---|---|
| https://jenkins.io/security/advisory/2018-05-09/#SECURITY-786 | 2022-06-13 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Jenkins Search vendor "Jenkins" | Jenkins Search vendor "Jenkins" for product "Jenkins" | <= 2.120 Search vendor "Jenkins" for product "Jenkins" and version " <= 2.120" | - |
Affected
| ||||||
| Jenkins Search vendor "Jenkins" | Jenkins Search vendor "Jenkins" for product "Jenkins" | <= 2.107.2 Search vendor "Jenkins" for product "Jenkins" and version " <= 2.107.2" | lts |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Cloud Native Core Automated Test Suite Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" | 1.9.0 Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" and version "1.9.0" | - |
Affected
| ||||||