CVE-2017-1000092: Cross-Site Request Forgery (CSRF)

October 5, 2017 (updated October 17, 2017)

The Git plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server.

References

Detect and mitigate CVE-2017-1000092 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 0.1.0 up to 0.7.3, all versions starting from 0.8.0 up to 0.8.2, all versions starting from 0.9.0 up to 0.9.2, all versions starting from 1.0.0 up to 1.0.1, all versions starting from 1.1.0 up to 1.1.29, all versions starting from 1.2.0 up to 1.6.0, all versions starting from 2.0.0 up to 2.0.4, all versions starting from 2.1.0 up to 2.2.12, all versions starting from 2.3.0 up to 2.3.5, all versions starting from 2.4.0 up to 2.4.4, all versions starting from 2.5.0 up to 2.5.3, all versions starting from 2.6.0 up to 2.6.2, all versions starting from 2.6.4 up to 2.6.5, all versions starting from 3.0.0 up to 3.0.5, all versions starting from 3.1.0 up to 3.3.1, version 3.4.0