CVE-2017-1000092

CWE-352Cross-Site Request Forgery (CSRF)7 documents7 sources
Severity
7.5HIGH
EPSS
0.1%
top 64.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Jenkins GIT
Timeline
PublishedOct 5
Latest updateMay 17

Description

Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

NVDjenkins/git103 versions+102

🔴Vulnerability Details

3
GHSA
Cross-Site Request Forgery in Jenkins Git Plugin2022-05-17
OSV
Cross-Site Request Forgery in Jenkins Git Plugin2022-05-17
CVEList
CVE-2017-1000092: Git Plugin connects to a user-specified Git repository as part of form validation2017-10-04

📋Vendor Advisories

2
Jenkins
Jenkins Security Advisory 2017-07-102017-07-10
Red Hat
jenkins-plugin-git: CSRF vulnerability allows capturing credentials (SECURITY-528)2017-07-10

💬Community

1
Bugzilla
CVE-2017-1000092 jenkins-plugin-git: CSRF vulnerability allows capturing credentials (SECURITY-528)2017-07-14
CVE-2017-1000092 (HIGH CVSS 7.5) | Git Plugin connects to a user-speci | cvebase.io