Vulnerability Description
A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Jenkins | <= 2.120 |
| Oracle | Communications Cloud Native Core Automated Test Suite | 1.9.0 |
Related Weaknesses (CWE)
References
- https://jenkins.io/security/advisory/2018-05-09/#SECURITY-786Vendor Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://jenkins.io/security/advisory/2018-05-09/#SECURITY-786Vendor Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
FAQ
What is CVE-2018-1000193?
CVE-2018-1000193 is a vulnerability with a CVSS score of 4.3 (MEDIUM). A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names c...
How severe is CVE-2018-1000193?
CVE-2018-1000193 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1000193?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Jenkins, Oracle Communications Cloud Native Core Automated Test Suite.