CVE-2019-10392 — Improper Neutralization of Special Elements used in an OS Command in Jenkins Git

Description

Jenkins Git Client Plugin 2.8.4 and earlier did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection.

How to fix CVE-2019-10392

To remediate CVE-2019-10392, upgrade the affected package to a fixed version below.

Maven/org.jenkins-ci.plugins:git-client—upgrade to 2.8.5 or later

Is CVE-2019-10392 being exploited?

Likely — EPSS is 73.9%, placing CVE-2019-10392 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0, < 2.8.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10392
WEBgithub.com/jenkinsci/git-client-plugin/commit/899123fa2eb9dd2c37137aae630c47c6be6b4b02
WEBjenkins.io/security/advisory/2019-09-12/#SECURITY-1534
WEBwww.openwall.com/lists/oss-security/2019/09/12/2