VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 13, 2018· Updated Sep 16, 2024

CVE-2018-1000110

CVE-2018-1000110

Description

An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of nodes and users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An improper authorization vulnerability in Jenkins Git Plugin 3.7.0 and earlier allows attackers with network access to obtain a list of nodes and users via GitStatus.java.

Vulnerability

The Jenkins Git Plugin version 3.7.0 and earlier contains an improper authorization vulnerability in GitStatus.java. The GitStatus class extended AbstractModelObject and implemented UnprotectedRootAction, making its endpoint accessible without proper authentication. An attacker with network access can request the Git status page and retrieve a list of nodes and users [2].

Exploitation

An attacker requires only network access to the Jenkins instance. No authentication is needed. By sending an HTTP request to the Git status endpoint (e.g., /git), the attacker can obtain the list of nodes and users [2].

Impact

The attacker gains information disclosure, specifically a list of nodes and users, which could be used for further reconnaissance. The CIA impact is limited to confidentiality of this metadata [2].

Mitigation

The vulnerability is fixed in Git Plugin version 3.8.0 [4]. Users should upgrade to this version or later. If upgrade is not possible, restrict network access to the Jenkins instance or disable the plugin temporarily. The fix removes the UnprotectedRootAction interface and the getSearchUrl method from GitStatus [4].

References
  1. Jenkins Security Advisory 2018-02-26
  2. Fix SECURITY-723 - info disclosure over http · jenkinsci/git-plugin@a3d3a7e

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:gitMaven
< 3.8.03.8.0

Affected products

1

Patches

1
a3d3a7eb7f75

Fix SECURITY-723 - info disclosure over http

https://github.com/jenkinsci/git-pluginMark WaiteFeb 9, 2018via ghsa
commit
3 files changed · +2 14
  • pom.xml+1 1 modified
    @@ -16,7 +16,7 @@
   </licenses>
 
   <artifactId>git</artifactId>
-  <version>3.7.1-SNAPSHOT</version>
+  <version>3.8.0-SNAPSHOT</version>
   <packaging>hpi</packaging>
   <name>Jenkins Git plugin</name>
   <description>Integrates Jenkins with GIT SCM</description>
  • src/main/java/hudson/plugins/git/GitStatus.java+1 7 modified
    @@ -39,18 +39,12 @@
  * Information screen for the use of Git in Hudson.
  */
 @Extension
-public class GitStatus extends AbstractModelObject implements UnprotectedRootAction {
+public class GitStatus implements UnprotectedRootAction {
     @Override
     public String getDisplayName() {
         return "Git";
     }
 
-    @Override
-    public String getSearchUrl() {
-        return getUrlName();
-    }
-
-    @Override
     public String getIconFileName() {
         // TODO
         return null;
  • src/test/java/hudson/plugins/git/GitStatusTest.java+0 6 modified
    @@ -65,12 +65,6 @@ public void testGetDisplayName() {
         assertEquals("Git", this.gitStatus.getDisplayName());
     }
 
-    @WithoutJenkins
-    @Test
-    public void testGetSearchUrl() {
-        assertEquals("git", this.gitStatus.getSearchUrl());
-    }
-
     @WithoutJenkins
     @Test
     public void testGetIconFileName() {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.