Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1odzZ4LTJxd3YtcnhyN84AAiCH
Improper Neutralization of Special Elements used in an OS Command in Jenkins Git Client Plugin
Jenkins Git Client Plugin 2.8.4 and earlier did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection.
Permalink: https://github.com/advisories/GHSA-hw6x-2qwv-rxr7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1odzZ4LTJxd3YtcnhyN84AAiCH
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 5 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-hw6x-2qwv-rxr7, CVE-2019-10392
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10392
- https://jenkins.io/security/advisory/2019-09-12/#SECURITY-1534
- http://www.openwall.com/lists/oss-security/2019/09/12/2
- https://github.com/jenkinsci/git-client-plugin/commit/899123fa2eb9dd2c37137aae630c47c6be6b4b02
- https://github.com/advisories/GHSA-hw6x-2qwv-rxr7
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:git-client
Affected Version Ranges: <= 2.8.4Fixed in: 2.8.5