OS Command Injection in Jenkins Git Client Plugin by Jenkins
CVE-2019-10392

8.8HIGH

Key Information:

Vendor

Jenkins
Status
Jenkins Git Client Plugin
Vendor
CVE Published:
12 September 2019

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC🟣 EPSS 80%

What is CVE-2019-10392?

The Jenkins Git Client Plugin versions 2.8.4 and earlier, along with 3.0.0-rc, exhibit a security flaw that fails to adequately restrict the values that can be passed as URL arguments during the invocation of 'git ls-remote'. This vulnerability can be exploited to perform OS command injection, potentially allowing attackers to execute arbitrary commands on the affected server.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Jenkins Git Client Plugin 2.8.4 and earlier, 3.0.0-rc

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2019-10392
Created by jas502n

CVE-2019-10392_EXP
Created by ftk-sostupid

References

https://jenkins.io/security/advisory/2019-09-12/#SECURITY...
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2019/09/12/2
mailing-listx_refsource_MLIST

EPSS Score

80% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

JSON
.