CVE-2016-3721Code Injection in Project Jenkins Subversion Partial Release Manager Plugin

CWE-17CWE-94Code InjectionCWE-1321Prototype Pollution10 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
0.4%
top 40.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Jenkins Project Jenkins Subversion Partial Release Manager PluginJenkinsRedhat Openshift
Timeline
PublishedMay 17
Latest updateMay 2

Description

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

NVDjenkins/jenkins1.651.1+1
NVDredhat/openshift3.1, 3.2+1

🔴Vulnerability Details

4
GHSA
Jenkins Subversion Partial Release Manager Plugin programmatically disables the fix for CVE-2016-37212024-05-02
GHSA
Jenkins allows Remote Users to Inject Build Parameters2022-05-14
OSV
Jenkins allows Remote Users to Inject Build Parameters2022-05-14
CVEList
CVE-2016-3721: Jenkins before 22016-05-17

📋Vendor Advisories

3
Jenkins
Jenkins Security Advisory 2024-05-022024-05-02
Red Hat
jenkins: Arbitrary build parameters are passed to build scripts as environment variables (SECURITY-170)2016-05-11
Jenkins
Jenkins Security Advisory 2016-05-112016-05-11

💬Community

2
Bugzilla
CVE-2016-3721 jenkins: Arbitrary build parameters are passed to build scripts as environment variables (SECURITY-170)2016-05-12
Bugzilla
CVE-2016-3721 CVE-2016-3722 CVE-2016-3723 CVE-2016-3724 CVE-2016-3725 CVE-2016-3726 CVE-2016-3727 jenkins: various flaws [fedora-all]2016-05-12
CVE-2016-3721 — Code Injection | cvebase