Jenkins Git Plugin CVE-2017-1000092 Cross Site Request Forgery Vulnerability

Git Plugin for Jenkins is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.

The following products are affected:

Git Plugin 3.3.1 and prior.
Git Plugin 2.4.0-beta-1 and prior.

Information

Bugtraq ID: 100435
Class: Input Validation Error
CVE: CVE-2017-1000092

Remote: Yes
Local: No
Published: Aug 22 2017 12:00AM
Updated: Aug 22 2017 05:11PM
Credit: Jesse Glick, CloudBees, Inc
Vulnerable: Redhat OpenShift Enterprise 3.0
Jenkins-Ci Git plugin 3.3.1
Jenkins-Ci Git plugin 2.4.0-beta-1

Not Vulnerable: Jenkins-Ci Git plugin 3.3.2
Jenkins-Ci Git plugin 3.4.0-beta-2

Exploit

To exploit this issue, an attacker must entice an unsuspecting victim to follow a malicious URI.

References:

CVE-2017-1000092 (Redhat)
Jenkins CI Homepage (Jenkins CI)
Bug 1471053 - (CVE-2017-1000092) CVE-2017-1000092 jenkins-plugin-git: CSRF vuln (Redhat)
Jenkins Security Advisory 2017-07-10 (Jenkins)

Source: www.securityfocus.com

Exploit Collector

Search Exploit