VYPR
Get started
← All advisories
Medium severity6.1NVD Advisory· Published Apr 7, 2016· Updated May 6, 2026

CVE-2016-0789

CVE-2016-0789

Description

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.main:jenkins-coreMaven
>= 1.643, < 1.6501.650
org.jenkins-ci.main:jenkins-coreMaven
< 1.642.21.642.2

Affected products

3
  • Jenkins/Jenkins2 versions
    cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*range: <=1.649
    • cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*range: <=1.642.1
  • Red Hat/Openshift
    cpe:2.3:a:redhat:openshift:3.1:*:*:*:enterprise:*:*:*

Patches

1
f5c51fbad2b6

[FIX SECURITY-238] Don't echo command name

https://github.com/jenkinsci/jenkinsDaniel BeckJan 26, 2016via ghsa
commit
1 file changed · +1 1
  • core/src/main/java/hudson/cli/CLIAction.java+1 1 modified
    @@ -78,7 +78,7 @@ public void doCommand(StaplerRequest req, StaplerResponse rsp) throws ServletExc
         final String commandName = req.getRestOfPath().substring(1);
         CLICommand command = CLICommand.clone(commandName);
         if (command == null) {
-            rsp.sendError(HttpServletResponse.SC_NOT_FOUND, "No such command " + commandName);
+            rsp.sendError(HttpServletResponse.SC_NOT_FOUND, "No such command");
             return;
         }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.