Red Hat Bugzilla – Bug 1471053
CVE-2017-1000092 jenkins-plugin-git: CSRF vulnerability allows capturing credentials (SECURITY-528)
Last modified: 2017-08-18 01:24:39 EDT
Git Plugin connects to a user-specified Git repository as part of form validation.
An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server.
Name: the Jenkins project
Upstream: Jesse Glick (CloudBees)
This issue affects the versions of jenkins-plugin-git as shipped with Red Hat OpenShift Enterprise 3. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.