Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-10392 PoC — CloudBees Jenkins Git Client Plugin 操作系统命令注入漏洞

Source
https://github.com/jas502n/CVE-2019-10392
Associated Vulnerability
Title:CloudBees Jenkins Git Client Plugin 操作系统命令注入漏洞 (CVE-2019-10392)
Description:Jenkins Git Client Plugin 2.8.4 and earlier and 3.0.0-rc did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection.
Description
CVE-2019-10392 RCE Jackson with Git Client Plugin 2.8.2 (Authenticated)
Readme
# CVE-2019-10392 RCE with Git Client Plugin 2.8.2 (Authenticated)

![](./newjob.jpg)
![](./configure.jpg)
![](./exploit.jpg)
![](./script.jpg)

## 0x01 docker 启动

`docker run -p 8080:8080 -p 50000:50000 jenkins/jenkins:lts-alpine`


## 0x02 漏洞环境

```
Jenkins 2.176.3
Git Client Plugin 2.8.2 

https://updates.jenkins-ci.org/download/plugins/git-client/
Git Plugin 3.12.0

```

## 参考链接

https://iwantmore.pizza/posts/cve-2019-10392.html

https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/
File Snapshot

 [4.0K]  /data/pocs/2fa4cfb0ab626e04a6663f4c08042915ea358187
├── [145K]  configure.jpg
├── [171K]  exploit.jpg
├── [157K]  newjob.jpg
├── [ 539]  README.md
└── [278K]  script.jpg

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →