Is CVE-2019-10392 known to be exploited?

26 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Jenkins Project Git Client Plugin

CVE-2019-10392

Jenkins Git Client Plugin 2.8.4 and earlier and 3.0.0-rc did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection.

EPSS: 0.739 (98.8th percentile) — read the EPSS interpretation.

Affected products

Jenkins Project Git Client Plugin — versions 2.8.4 and earlier, 3.0.0-rc

Public proof-of-concept exploits

jas502n/CVE-2019-10392
ftk-sostupid/CVE-2019-10392_EXP
shoucheng3/jenkinsci__git-client-plugin_CVE-2019-10392_2-8-4
ARPSyndicate/cvemon
Awrrays/FrameVul
BLACKHAT-SSG/Pwn_
PwnAwan/Pwn_
RajChowdhury240/Secure-or-Break-Jenkins
Rajchowdhury420/Secure-or-Break-Jenkins
Retr0-ll/2023-littleTerm

References

jenkins.io/security/advisory/2019-09-12/ (x_refsource_MISC)
[oss-security] 20190912 Multiple vulnerabilities in Jenkins plugins (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2019-10392?: CVE-2019-10392 is a vulnerability in Jenkins Project Git Client Plugin. Published 2019-09-12.
Is CVE-2019-10392 known to be exploited?: 26 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.