6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-0789

GHSA ID

GHSA-8p3c-m625-wh83

EPSS Score

0.44089%

CWE

CWE-20

Published

5/14/2022

Updated

3/13/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-0789

CVE-2016-0789: Jenkins has CRLF Injection Vulnerability in the CLI

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

(GitHub Advisory)

6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-0789

GHSA ID

GHSA-8p3c-m625-wh83

EPSS Score

0.44089%

CWE

CWE-20

Published

5/14/2022

Updated

3/13/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.main:jenkins-core	maven	>= 1.643, < 1.650	1.650
org.jenkins-ci.main:jenkins-core	maven	< 1.642.2	1.642.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from directly embedding user-controlled input (commandName) in HTTP error responses without proper sanitization. The patch removes the commandName parameter from the error message, indicating this was the injection vector. The sendError method call with unsanitized input creates HTTP response splitting opportunities when commandName contains CRLF sequences to inject headers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*RL* inj**tion vuln*r**ility in t** *LI *omm*n* *o*um*nt*tion in J*nkins ***or* *.*** *n* LTS ***or* *.***.* *llows r*mot* *tt**k*rs to inj**t *r*itr*ry *TTP *****rs *n* *on*u*t *TTP r*spons* splittin* *tt**ks vi* unsp**i*i** v**tors.

Reasoning

T** vuln*r**ility st*ms *rom *ir**tly *m****in* us*r-*ontroll** input (*omm*n*N*m*) in *TTP *rror r*spons*s wit*out prop*r s*nitiz*tion. T** p*t** r*mov*s t** *omm*n*N*m* p*r*m*t*r *rom t** *rror m*ss***, in*i**tin* t*is w*s t** inj**tion v**tor. T**

6.1

Basic Information

Concerned about an active attack path?

CVE-2016-0789: Jenkins has CRLF Injection Vulnerability in the CLI

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI