CVE-2019-10392

HIGH

Jenkins Git Client Plugin < 2.8.4 - OS Command Injection via Git ls-remote URL Argument

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2019-10392. PoCs published by jas502n, ftk-sostupid, shoucheng3.

AI-analyzed exploit summary This repository provides a technical writeup and references for CVE-2019-10392, an RCE vulnerability in Jenkins Git Client Plugin 2.8.2. It includes environment setup instructions, affected versions, and links to detailed analysis but lacks functional exploit code.

Description

Jenkins Git Client Plugin 2.8.4 and earlier and 3.0.0-rc did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection.

Exploits (3)

nomisec WRITEUP 21 stars

by jas502n · poc

https://github.com/jas502n/CVE-2019-10392

View Code ZIP pw:eip

This repository provides a technical writeup and references for CVE-2019-10392, an RCE vulnerability in Jenkins Git Client Plugin 2.8.2. It includes environment setup instructions, affected versions, and links to detailed analysis but lacks functional exploit code.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: Jenkins with Git Client Plugin 2.8.2

Auth required

Prerequisites: Authenticated access to Jenkins · Git Client Plugin 2.8.2 installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 3 stars

by ftk-sostupid · poc

https://github.com/ftk-sostupid/CVE-2019-10392_EXP

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2019-10392, an authenticated RCE vulnerability in Jenkins Git Client Plugin versions <= 2.8.2. The exploit leverages the Git plugin's URL validation feature to execute arbitrary commands via crafted Git repository URLs.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Jenkins Git Client Plugin <= 2.8.2

Auth required

Prerequisites: Valid Jenkins credentials · Git Client Plugin <= 2.8.2 installed · Network access to Jenkins instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WRITEUP

by shoucheng3 · poc

https://github.com/shoucheng3/jenkinsci__git-client-plugin_CVE-2019-10392_2-8-4

View Code ZIP pw:eip

This repository contains source code and documentation for the Jenkins Git Client Plugin, specifically referencing CVE-2019-10392. It includes Java source files, configuration files, and contributing guidelines, but no functional exploit code or technical analysis of the vulnerability itself.

Classification

Writeup 90%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: Jenkins Git Client Plugin

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://jenkins.io/security/advisory/2019-09-12/#SECURITY-1534

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2019/09/12/2

Scores

CVSS v3 8.8

EPSS 0.7388

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (3)

jenkins/git_client 3.0.0 rc

jenkins/git_client < 2.8.4

org.jenkins-ci.plugins/git-client 0 - 2.8.5Maven

Published Sep 12, 2019

Tracked Since Feb 18, 2026