Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1odzZ4LTJxd3YtcnhyN84AAiCH

Improper Neutralization of Special Elements used in an OS Command in Jenkins Git Client Plugin

Jenkins Git Client Plugin 2.8.4 and earlier did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection.

Permalink: https://github.com/advisories/GHSA-hw6x-2qwv-rxr7
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1odzZ4LTJxd3YtcnhyN84AAiCH
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 5 months ago

CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-hw6x-2qwv-rxr7, CVE-2019-10392
References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-10392
• https://jenkins.io/security/advisory/2019-09-12/#SECURITY-1534
• http://www.openwall.com/lists/oss-security/2019/09/12/2
• https://github.com/jenkinsci/git-client-plugin/commit/899123fa2eb9dd2c37137aae630c47c6be6b4b02
• https://github.com/advisories/GHSA-hw6x-2qwv-rxr7

Repository: https://github.com/jenkinsci/git-client-plugin
Blast Radius: 1.0

Affected Packages