CVE-2019-10392

CWE-78 — OS Command Injection8 documents7 sources

Severity

8.8HIGH

EPSS

80.8%

top 0.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins GIT Client Jenkins Project Jenkins GIT Client Plugin

Timeline

PublishedSep 12

Latest updateMay 24

Description

Jenkins Git Client Plugin 2.8.4 and earlier and 3.0.0-rc did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:git-client< 2.8.5

▶CVEListV5jenkins_project/jenkins_git_client_plugin2.8.4 and earlier, 3.0.0-rc

▶NVDjenkins/git_client2.8.4+1

🔴Vulnerability Details

OSV

Improper Neutralization of Special Elements used in an OS Command in Jenkins Git Client Plugin↗2022-05-24

▶

GHSA

Improper Neutralization of Special Elements used in an OS Command in Jenkins Git Client Plugin↗2022-05-24

▶

CVEList

CVE-2019-10392: Jenkins Git Client Plugin 2↗2019-09-12

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2019-09-12↗2019-09-12

▶

Red Hat

jenkins-git-client-plugin: OS command injection via 'git ls-remote'↗2019-09-12

▶

💬Community

Bugzilla

CVE-2019-10392 jenkins-git-client-plugin: OS command injection via 'git ls-remote'↗2020-04-01

▶

Bugzilla

CVE-2018-10392 libvorbis: heap buffer overflow in mapping0_forward function↗2018-05-02

▶