CVE-2017-1000092

Name: CVE-2017-1000092
Creator: NVD / NIST
Published: 2017-10-05T01:29:03.773+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 0.77%

Last modified Jun 17, 2026

CVE-2017-1000092 is a vulnerability of currently unknown severity. Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server.. EPSS estimates a 0.77% chance of exploitation in the next 30 days.

Description

Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server.

Metrics

EPSS Probability

0.77%

50.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-352

Affected Software

Vendor	Product	Versions	Update
Jenkins	Git	0.1.0	—
Jenkins	Git	0.2.0	—
Jenkins	Git	0.3.0	—
Jenkins	Git	0.4.0	—
Jenkins	Git	0.5.0	—
Jenkins	Git	0.6.0	—
Jenkins	Git	0.7.0	—
Jenkins	Git	0.7.1	—
Jenkins	Git	0.7.2	—
Jenkins	Git	0.7.3	—
Jenkins	Git	0.8.0	—
Jenkins	Git	0.8.1	—
Jenkins	Git	0.8.2	—
Jenkins	Git	0.9.0	—
Jenkins	Git	0.9.1	—
Jenkins	Git	0.9.2	—
Jenkins	Git	1.0.0	—
Jenkins	Git	1.0.1	—
Jenkins	Git	1.1.0	—
Jenkins	Git	1.1.1	—
Jenkins	Git	1.1.2	—
Jenkins	Git	1.1.3	—
Jenkins	Git	1.1.4	—
Jenkins	Git	1.1.5	—
Jenkins	Git	1.1.6	—
Jenkins	Git	1.1.7	—
Jenkins	Git	1.1.8	—
Jenkins	Git	1.1.9	—
Jenkins	Git	1.1.10	—
Jenkins	Git	1.1.11	—
Jenkins	Git	1.1.12	—
Jenkins	Git	1.1.13	—
Jenkins	Git	1.1.14	—
Jenkins	Git	1.1.15	—
Jenkins	Git	1.1.16	—
Jenkins	Git	1.1.17	—
Jenkins	Git	1.1.18	—
Jenkins	Git	1.1.19	—
Jenkins	Git	1.1.20	—
Jenkins	Git	1.1.21	—
Jenkins	Git	1.1.22	—
Jenkins	Git	1.1.23	—
Jenkins	Git	1.1.24	—
Jenkins	Git	1.1.25	—
Jenkins	Git	1.1.26	—
Jenkins	Git	1.1.27	—
Jenkins	Git	1.1.28	—
Jenkins	Git	1.1.29	—
Jenkins	Git	1.2.0	—
Jenkins	Git	1.3.0	—

Showing 50 of 103 affected configurations. See NVD for the full list.

References

http://www.securityfocus.com/bid/100435Third Party Advisory, VDB Entry
https://jenkins.io/security/advisory/2017-07-10/Vendor Advisory
http://www.securityfocus.com/bid/100435Third Party Advisory, VDB Entry
https://jenkins.io/security/advisory/2017-07-10/Vendor Advisory

Timeline

Published: Oct 5, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-1000092?

How severe is CVE-2017-1000092?

Severity scoring for CVE-2017-1000092 is pending analysis. The EPSS model estimates a 0.77% probability of exploitation in the next 30 days.

How do I fix CVE-2017-1000092?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-1000092?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST