logo

Database

Cross-site request forgery In org.jenkins-ci.plugins:git

Description

Cross-Site Request Forgery in Jenkins Git Plugin Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2017-10000922. NVD-2017-10000923. OSV-2017-10000924. GCVE-2017-1000092

References

1. https://bugzilla.redhat.com/show_bug.cgi?id=14710532. https://jenkins.io/security/advisory/2017-07-10

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.