CVE-2012-6072 — Jenkins allows HTTP Injection and Response Splitting

Description

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

How to fix CVE-2012-6072

To remediate CVE-2012-6072, upgrade the affected package to a fixed version below.

Maven/org.jenkins-ci.main:jenkins-core—upgrade to 1.491 or later

Is CVE-2012-6072 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.481, < 1.491

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-6072
PATCHgithub.com/jenkinsci/jenkins
WEBrhn.redhat.com/errata/RHSA-2013-0220.html
WEBbugzilla.redhat.com/show_bug.cgi?id=890607
WEB