Medium severity4.3NVD Advisory· Published May 17, 2016· Updated May 6, 2026

CVE-2016-3721

Description

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.main:jenkins-coreMaven	>= 1.660, < 2.3	2.3
org.jenkins-ci.main:jenkins-coreMaven	< 1.651.2	1.651.2

Affected products

Jenkins/Jenkins2 versions
cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*range: <=2.2
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*range: <=1.651.1
Red Hat/Openshift2 versions
cpe:2.3:a:redhat:openshift:3.1:*:*:*:enterprise:*:*:*+ 1 more
- cpe:2.3:a:redhat:openshift:3.1:*:*:*:enterprise:*:*:*
- cpe:2.3:a:redhat:openshift:3.2:*:*:*:enterprise:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-qf2h-h3xq-j93jghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-3721ghsaADVISORY
wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170nvdVendor AdvisoryWEB
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11nvdVendor AdvisoryWEB
www.cloudbees.com/jenkins-security-advisory-2016-05-11nvdVendor AdvisoryWEB
rhn.redhat.com/errata/RHSA-2016-1773.htmlnvdWEB
www.openwall.com/lists/oss-security/2024/05/02/3nvdWEB
access.redhat.com/errata/RHSA-2016:1206nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000