Description
Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server.
Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| n/a | n/a | affected |
|
Configuration 1 [-]
|
| Package | CPE | Advisory | Released Date |
|---|---|---|---|
| Red Hat OpenShift Container Platform 3.6 | |||
| atomic-openshift-0:3.6.173.0.21-1.git.0.f95b0e7.el7 | cpe:/a:redhat:openshift:3.6::el7 | RHBA-2017:2642 | 2017-09-08T00:00:00Z |
| fluentd-0:0.12.39-2.el7 | cpe:/a:redhat:openshift:3.6::el7 | RHBA-2017:2642 | 2017-09-08T00:00:00Z |
| jenkins-2-plugins-0:3.7.1502412812-1.el7 | cpe:/a:redhat:openshift:3.6::el7 | RHBA-2017:2642 | 2017-09-08T00:00:00Z |
| kibana-0:4.6.4-3.el7 | cpe:/a:redhat:openshift:3.6::el7 | RHBA-2017:2642 | 2017-09-08T00:00:00Z |
| rubygem-cool.io-0:1.5.1-1.el7 | cpe:/a:redhat:openshift:3.6::el7 | RHBA-2017:2642 | 2017-09-08T00:00:00Z |
| rubygem-excon-0:0.58.0-1.el7 | cpe:/a:redhat:openshift:3.6::el7 | RHBA-2017:2642 | 2017-09-08T00:00:00Z |
| rubygem-faraday-0:0.13.0-1.el7 | cpe:/a:redhat:openshift:3.6::el7 | RHBA-2017:2642 | 2017-09-08T00:00:00Z |
| rubygem-fluent-plugin-kubernetes_metadata_filter-0:0.29.0-1.el7 | cpe:/a:redhat:openshift:3.6::el7 | RHBA-2017:2642 | 2017-09-08T00:00:00Z |
| rubygem-fluent-plugin-viaq_data_model-0:0.0.5-1.el7 | cpe:/a:redhat:openshift:3.6::el7 | RHBA-2017:2642 | 2017-09-08T00:00:00Z |
| rubygem-i18n-0:0.8.6-1.el7 | cpe:/a:redhat:openshift:3.6::el7 | RHBA-2017:2642 | 2017-09-08T00:00:00Z |
| rubygem-systemd-journal-0:1.3.0-1.el7 | cpe:/a:redhat:openshift:3.6::el7 | RHBA-2017:2642 | 2017-09-08T00:00:00Z |
No data available yet.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2022-5154 | Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server. |
 Github GHSA |
GHSA-rf5q-8gx3-xqfc | Cross-Site Request Forgery in Jenkins Git Plugin |
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2024-08-05T21:53:06.676Z
Reserved: 2017-07-13T00:00:00.000Z
Link: CVE-2017-1000092
Vulnrichment
No data.
NVD
Status : Modified
Published: 2017-10-05T01:29:03.773
Modified: 2026-05-13T00:24:29.033
Link: CVE-2017-1000092
Redhat
OpenCVE Enrichment
No data.
Weaknesses