CVE-2019-10392

HIGH

Jenkins Git Client < 2.8.4 - OS Command Injection

Title source: rule

Description

Jenkins Git Client Plugin 2.8.4 and earlier and 3.0.0-rc did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection.

Exploits (3)

nomisec WRITEUP 21 stars

by jas502n · poc

https://github.com/jas502n/CVE-2019-10392

View Code ZIP pw:eip

nomisec WORKING POC 3 stars

by ftk-sostupid · poc

https://github.com/ftk-sostupid/CVE-2019-10392_EXP

View Code ZIP pw:eip

nomisec WRITEUP

by shoucheng3 · poc

https://github.com/shoucheng3/jenkinsci__git-client-plugin_CVE-2019-10392_2-8-4

View Code ZIP pw:eip

References (2)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2019/09/12/2

[Vendor Advisory] https://jenkins.io/security/advisory/2019-09-12/#SECURITY-1534

Scores

CVSS v3 8.8

EPSS 0.8082

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (3)

jenkins/git_client 3.0.0 rc

jenkins/git_client < 2.8.4

org.jenkins-ci.plugins/git-client 0 - 2.8.5Maven

Published Sep 12, 2019

Tracked Since Feb 18, 2026