PT-2019-11786 · Jenkins · Jenkins Git Client Plugin+1

Francesco Soncina

Publicado

2019-09-12

Atualizado

2023-10-25

CVE-2019-10392

CVSS v3.1

8.8

Alta

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins Git Client Plugin versions 2.8.4 and earlier Jenkins Git Client Plugin version 3.0.0-rc

Description The issue results from improper restriction of values passed as URL arguments to an invocation of git ls-remote, leading to OS command injection.

Recommendations For Jenkins Git Client Plugin versions 2.8.4 and earlier, update to a version that properly restricts values passed as URL arguments to prevent OS command injection. For Jenkins Git Client Plugin version 3.0.0-rc, update to a version that properly restricts values passed as URL arguments to prevent OS command injection.

Exploit

Correção

OS Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-78

Identificadores relacionados

CVE-2019-10392

GHSA-HW6X-2QWV-RXR7

RHSA-2020:2478

Produtos afetados

Jenkins

Jenkins Git Client Plugin

PT-2019-11786 · Jenkins · Jenkins Git Client Plugin+1

CVE-2019-10392

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 8