CVE-2019-1003010

MEDIUM

Jenkins Git Plugin < 3.9.1 - Cross-Site Request Forgery in GitTagAction

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-1003010. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository contains the vulnerable source code of the Jenkins Git plugin affected by CVE-2019-1003010, specifically focusing on the BranchSpec class. It includes the original codebase with the vulnerability present, but does not contain an exploit PoC or detailed analysis of the vulnerability itself.

Description

A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.

Exploits (2)

nomisec WRITEUP
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2019-1003010-Prasanna-vulnerable

This repository contains the vulnerable source code of the Jenkins Git plugin affected by CVE-2019-1003010, specifically focusing on the BranchSpec class. It includes the original codebase with the vulnerability present, but does not contain an exploit PoC or detailed analysis of the vulnerability itself.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Jenkins Git Plugin
Auth required
Prerequisites: Access to Jenkins instance with vulnerable Git plugin · Permissions to configure Git repositories
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WRITEUP
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2019-1003010-Prasanna-vulnerable

This repository contains the vulnerable source code of the Jenkins Git plugin related to CVE-2019-1003010, specifically focusing on the BranchSpec class. It includes the original codebase with potential vulnerabilities but does not provide an exploit or detailed analysis of the vulnerability itself.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Jenkins Git Plugin
No auth needed
Prerequisites: Access to vulnerable Jenkins Git plugin instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHBA-2019:0326
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHBA-2019:0327

Scores

CVSS v3 4.3
EPSS 0.0065
EPSS Percentile 71.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Details

CWE
CWE-352
Status published
Products (3)
jenkins/git < 3.9.1
org.jenkins-ci.plugins/git 0 - 3.9.2Maven
redhat/openshift_container_platform 3.11
Published Feb 06, 2019
Tracked Since Feb 18, 2026