CVE-2012-6072
published 2013-02-24CVE-2012-6072: CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1…
PriorityP425medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
1.83%
76.2th percentile
CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
Affected
69 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cloudbees | jenkins | <= 1.480.3.1 | — |
| cloudbees | jenkins | — | — |
| cloudbees | jenkins | — | — |
| cloudbees | jenkins | — | — |
| cloudbees | jenkins | — | — |
| cloudbees | jenkins | — | — |
| cloudbees | jenkins | — | — |
| cloudbees | jenkins | — | — |
| cloudbees | jenkins | — | — |
| cloudbees | jenkins | — | — |
| cloudbees | jenkins | — | — |
| cloudbees | jenkins | — | — |
| cloudbees | jenkins | — | — |
| cloudbees | jenkins | — | — |
| cloudbees | jenkins | — | — |
| cloudbees | jenkins | — | — |
| cloudbees | jenkins | — | — |
| jenkins | jenkins | <= 1.466.2 | — |
| jenkins | jenkins | — | — |
| jenkins | jenkins | — | — |
| jenkins | jenkins | — | — |
| jenkins | jenkins | — | — |
| jenkins | jenkins | — | — |
| jenkins | jenkins | — | — |
| jenkins | jenkins | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Jenkins allows HTTP Injection and Response Splitting
ghsa·2022-05-14
CVE-2012-6072 [MEDIUM] CWE-113 Jenkins allows HTTP Injection and Response Splitting
Jenkins allows HTTP Injection and Response Splitting
CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
OSV
Jenkins allows HTTP Injection and Response Splitting
osv·2022-05-14
CVE-2012-6072 [MEDIUM] Jenkins allows HTTP Injection and Response Splitting
Jenkins allows HTTP Injection and Response Splitting
CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
Jenkins
Jenkins Security Advisory 2012-11-20
vendor_jenkins·2012-11-20·CVSS 4.3
CVE-2012-6072 [MEDIUM] Jenkins Security Advisory 2012-11-20
Title: Jenkins Security Advisory 2012-11-20
Jenkins Security Advisory 2012-11-20
This advisory announces two security vulnerabilities that were found in Jenkins core.
Description
The first vulnerability is commonly known as HTTP response splitting vulnerability, which can act as a cross-site scripting vulnerability. This allows an anonymous attacker to inject malicious HTMLs to pages served by Jenkins. This in turn allows an attacker to escalate his privileges by hijacking sessions of other users. To mount this attack, the attacker needs to know the exact URL of your Jenkins installation. This vulnerability affects those who run Jenkins on its built-in servlet container (this includes all the native packages.) (CVE-2012-6072)
The secon
Red Hat
Jenkins: HTTP response splitting
vendor_redhat·2012-11-20·CVSS 4.3
CVE-2012-6072 [MEDIUM] Jenkins: HTTP response splitting
Jenkins: HTTP response splitting
CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
No detection rules found.
No public exploits indexed.
http://rhn.redhat.com/errata/RHSA-2013-0220.htmlhttp://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-11-20.cbhttps://bugzilla.redhat.com/show_bug.cgi?id=890607https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-11-20http://rhn.redhat.com/errata/RHSA-2013-0220.htmlhttp://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-11-20.cbhttps://bugzilla.redhat.com/show_bug.cgi?id=890607https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-11-20
2013-02-24
Published