CVE-2012-6072: Input Validation
First published: Fri Dec 28 2012(Updated: )
CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins | =1.447.1.1 | |
| Jenkins | =1.447.2.2 | |
| Jenkins | =1.447.3.1 | |
| Jenkins | =1.400 | |
| Jenkins | =1.424 | |
| Jenkins | =1.447 | |
| Jenkins LTS | <=1.466.2 | |
| Jenkins LTS | =1.409.1 | |
| Jenkins LTS | =1.409.2 | |
| Jenkins LTS | =1.409.3 | |
| Jenkins LTS | =1.424.1 | |
| Jenkins LTS | =1.424.2 | |
| Jenkins LTS | =1.424.3 | |
| Jenkins LTS | =1.424.4 | |
| Jenkins LTS | =1.424.5 | |
| Jenkins LTS | =1.424.6 | |
| Jenkins LTS | =1.447.1 | |
| Jenkins LTS | =1.447.2 | |
| Jenkins LTS | =1.466.1 | |
| Jenkins | =1.466.1.2 | |
| Jenkins | =1.466.2.1 | |
| Jenkins | <=1.480.3.1 | |
| Jenkins LTS | =1.400 | |
| Jenkins LTS | =1.401 | |
| Jenkins LTS | =1.402 | |
| Jenkins LTS | =1.403 | |
| Jenkins LTS | =1.404 | |
| Jenkins LTS | =1.405 | |
| Jenkins LTS | =1.406 | |
| Jenkins LTS | =1.407 | |
| Jenkins LTS | =1.408 | |
| Jenkins LTS | =1.409 | |
| Jenkins LTS | =1.410 | |
| Jenkins LTS | =1.411 | |
| Jenkins LTS | =1.412 | |
| Jenkins LTS | =1.413 | |
| Jenkins LTS | =1.414 | |
| Jenkins LTS | =1.415 | |
| Jenkins LTS | =1.416 | |
| Jenkins LTS | =1.417 | |
| Jenkins LTS | =1.418 | |
| Jenkins LTS | =1.419 | |
| Jenkins LTS | =1.420 | |
| Jenkins LTS | =1.421 | |
| Jenkins LTS | =1.422 | |
| Jenkins LTS | =1.423 | |
| Jenkins LTS | =1.424 | |
| Jenkins LTS | =1.425 | |
| Jenkins LTS | =1.426 | |
| Jenkins LTS | =1.427 | |
| Jenkins LTS | =1.428 | |
| Jenkins LTS | =1.429 | |
| Jenkins LTS | =1.430 | |
| Jenkins LTS | =1.431 | |
| Jenkins LTS | =1.432 | |
| Jenkins LTS | =1.433 | |
| Jenkins LTS | =1.434 | |
| Jenkins LTS | =1.435 | |
| Jenkins LTS | =1.436 | |
| Jenkins LTS | =1.437 | |
| Jenkins | =1.424.0.2 | |
| Jenkins | =1.424.0.4 | |
| Jenkins | =1.424.1.1 | |
| Jenkins | =1.424.2.1 | |
| Jenkins | =1.424.4.1 | |
| Jenkins | =1.424.5.1 | |
| Jenkins | =1.424.6.1 | |
| Jenkins | =1.424.6.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://rhn.redhat.com/errata/RHSA-2013-0220.html
- http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-11-20.cb
- https://bugzilla.redhat.com/show_bug.cgi?id=890607
- https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-11-20
- https://rhn.redhat.com/errata/RHSA-2013-0220.html
Frequently Asked Questions
What is the severity of CVE-2012-6072?
CVE-2012-6072 is classified as a medium severity vulnerability that allows remote attackers to inject arbitrary HTTP headers.
How do I fix CVE-2012-6072?
To fix CVE-2012-6072, update Jenkins to version 1.491 or higher, or apply the specific patches provided for affected versions.
What type of attacks can CVE-2012-6072 facilitate?
CVE-2012-6072 can facilitate HTTP response splitting attacks due to CRLF injection.
Which versions of Jenkins are affected by CVE-2012-6072?
CVE-2012-6072 affects Jenkins versions prior to 1.491, along with specific earlier versions of Jenkins LTS and enterprise builds.
Can CVE-2012-6072 impact security in web applications?
Yes, CVE-2012-6072 can severely impact web application security by allowing attackers to manipulate HTTP responses.
- agent/weakness
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-6072
- agent/last-modified-date
- agent/author
- agent/severity
- agent/references
- agent/event
- agent/description
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/cloudbees
- canonical/jenkins
- version/jenkins/1.447.1.1
- version/jenkins/1.447.2.2
- version/jenkins/1.447.3.1
- version/jenkins/1.400
- version/jenkins/1.424
- version/jenkins/1.447
- vendor/jenkins
- canonical/jenkins lts
- version/jenkins lts/1.466.2
- version/jenkins lts/1.409.1
- version/jenkins lts/1.409.2
- version/jenkins lts/1.409.3
- version/jenkins lts/1.424.1
- version/jenkins lts/1.424.2
- version/jenkins lts/1.424.3
- version/jenkins lts/1.424.4
- version/jenkins lts/1.424.5
- version/jenkins lts/1.424.6
- version/jenkins lts/1.447.1
- version/jenkins lts/1.447.2
- version/jenkins lts/1.466.1
- version/jenkins/1.466.1.2
- version/jenkins/1.466.2.1
- version/jenkins/1.480.3.1
- version/jenkins lts/1.400
- version/jenkins lts/1.401
- version/jenkins lts/1.402
- version/jenkins lts/1.403
- version/jenkins lts/1.404
- version/jenkins lts/1.405
- version/jenkins lts/1.406
- version/jenkins lts/1.407
- version/jenkins lts/1.408
- version/jenkins lts/1.409
- version/jenkins lts/1.410
- version/jenkins lts/1.411
- version/jenkins lts/1.412
- version/jenkins lts/1.413
- version/jenkins lts/1.414
- version/jenkins lts/1.415
- version/jenkins lts/1.416
- version/jenkins lts/1.417
- version/jenkins lts/1.418
- version/jenkins lts/1.419
- version/jenkins lts/1.420
- version/jenkins lts/1.421
- version/jenkins lts/1.422
- version/jenkins lts/1.423
- version/jenkins lts/1.424
- version/jenkins lts/1.425
- version/jenkins lts/1.426
- version/jenkins lts/1.427
- version/jenkins lts/1.428
- version/jenkins lts/1.429
- version/jenkins lts/1.430
- version/jenkins lts/1.431
- version/jenkins lts/1.432
- version/jenkins lts/1.433
- version/jenkins lts/1.434
- version/jenkins lts/1.435
- version/jenkins lts/1.436
- version/jenkins lts/1.437
- version/jenkins/1.424.0.2
- version/jenkins/1.424.0.4
- version/jenkins/1.424.1.1
- version/jenkins/1.424.2.1
- version/jenkins/1.424.4.1
- version/jenkins/1.424.5.1
- version/jenkins/1.424.6.1
- version/jenkins/1.424.6.11