cbcvebase.
CVE-2019-10392
published 2019-09-12

CVE-2019-10392: Jenkins Git Client Plugin 2.8.4 and earlier and 3.0.0-rc did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting…

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
25.78%
97.7th percentile
Jenkins Git Client Plugin 2.8.4 and earlier and 3.0.0-rc did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection.

Affected

12 ranges
VendorProductVersion rangeFixed in
jenkinsaqua_security_serverless_scanner_plugin
jenkinsbeaker_builder_plugin
jenkinsbuild_environment_plugin
jenkinsdashboard_view_plugin
jenkinsgit_client<= 2.8.4
jenkinsgit_client
jenkinsgit_client_plugin
jenkinsgit_plugin
jenkinssandbox_protection_in_script_security_plugin
jenkinsscript_security_plugin
jenkinsusers_of_git_client_plugin
jenkins_projectjenkins_git_client_plugin

Detection & IOCsextracted from sources · hover to see the quote

commandgit ls-remote
  • Monitor for 'git ls-remote' invocations with suspicious or shell-metacharacter-containing URL arguments, which may indicate OS command injection attempts via Jenkins Git Client Plugin
  • Refer to the Jenkins security advisory for SECURITY-1534 for detailed exploitation patterns and patch guidance
  • ·Vulnerable versions are Jenkins Git Client Plugin 2.8.4 and earlier, and the 3.0.0-rc release candidate; ensure upgrades target a fixed version beyond these

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.