CVE-2018-1000182
Description
A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Git Plugin 3.9.0 and older has a server-side request forgery via repository browser form validation, exploitable with Overall/Read access.
Vulnerability
A server-side request forgery (SSRF) vulnerability exists in Jenkins Git Plugin version 3.9.0 and earlier. The flaw resides in the form validation methods of several repository browser implementations: AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, and ViewGitWeb.java. These methods did not require POST requests or check the user's permission beyond the default Overall/Read access, allowing an attacker to cause Jenkins to send a GET request to an arbitrary URL controlled by the attacker [1][2][4].
Exploitation
An attacker with Overall/Read permission on Jenkins could craft a request to the affected form validation endpoint (e.g., doCheckUrl or similar) to make Jenkins issue a GET request to an attacker-specified URL. Because the methods did not enforce POST requests, the attack could also be triggered via cross-site request forgery (CSRF) [2]. No additional authentication or special network position is required beyond having Overall/Read access in Jenkins [2][4].
Impact
Successful exploitation allows the attacker to use the Jenkins server as a proxy to send GET requests to internal or external hosts. This can lead to reconnaissance of internal networks, access to services that trust the Jenkins server, or information disclosure if the response is reflected back to the attacker. The Jenkins advisory rates the severity as medium (CVSS) [2].
Mitigation
The Jenkins Git Plugin developers fixed the vulnerability in version 3.9.1, released on 2018-06-04 [2]. The fix requires POST requests (via the @RequirePOST annotation) and the Overall/Administer permission for the affected form validation methods [3]. Users should upgrade to Jenkins Git Plugin 3.9.1 or later [2]. As of the advisory date, no known workarounds exist, and the plugin is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:gitMaven | < 3.9.1 | 3.9.1 |
Affected products
1Patches
187a03f3d9c4a[SECURITY-810] require POST for repo browser check
12 files changed · +18 −6
src/main/java/hudson/plugins/git/browser/AssemblaWeb.java+2 −0 modified@@ -12,6 +12,7 @@ import jenkins.model.Jenkins; import net.sf.json.JSONObject; import org.kohsuke.stapler.DataBoundConstructor; +import org.kohsuke.stapler.interceptor.RequirePOST; import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; @@ -96,6 +97,7 @@ public AssemblaWeb newInstance(StaplerRequest req, @Nonnull JSONObject jsonObjec return req.bindJSON(AssemblaWeb.class, jsonObject); } + @RequirePOST public FormValidation doCheckUrl(@QueryParameter(fixEmpty = true) final String url) throws IOException, ServletException { if (url == null) // nothing entered yet
src/main/java/hudson/plugins/git/browser/FisheyeGitRepositoryBrowser.java+2 −0 modified@@ -12,6 +12,7 @@ import hudson.util.FormValidation.URLCheck; import net.sf.json.JSONObject; import org.kohsuke.stapler.DataBoundConstructor; +import org.kohsuke.stapler.interceptor.RequirePOST; import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; @@ -87,6 +88,7 @@ public FisheyeGitRepositoryBrowser newInstance(StaplerRequest req, @Nonnull JSON * @throws IOException on input or output error * @throws ServletException on servlet error */ + @RequirePOST @SuppressFBWarnings(value="NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE", justification="Jenkins.getInstance() is not null") public FormValidation doCheckRepoUrl(@QueryParameter(fixEmpty = true) String value) throws IOException, ServletException {
src/main/java/hudson/plugins/git/browser/GitBlitRepositoryBrowser.java+2 −0 modified@@ -11,6 +11,7 @@ import jenkins.model.Jenkins; import net.sf.json.JSONObject; import org.kohsuke.stapler.DataBoundConstructor; +import org.kohsuke.stapler.interceptor.RequirePOST; import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; @@ -79,6 +80,7 @@ public GitBlitRepositoryBrowser newInstance(StaplerRequest req, @Nonnull JSONObj return req.bindJSON(GitBlitRepositoryBrowser.class, jsonObject); } + @RequirePOST public FormValidation doCheckUrl(@QueryParameter(fixEmpty = true) final String url) throws IOException, ServletException { if (url == null) // nothing entered yet
src/main/java/hudson/plugins/git/browser/Gitiles.java+2 −0 modified@@ -19,6 +19,7 @@ import net.sf.json.JSONObject; import org.kohsuke.stapler.DataBoundConstructor; +import org.kohsuke.stapler.interceptor.RequirePOST; import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; @@ -68,6 +69,7 @@ public Gitiles newInstance(StaplerRequest req, @Nonnull JSONObject jsonObject) t return req.bindJSON(Gitiles.class, jsonObject); } + @RequirePOST public FormValidation doCheckUrl(@QueryParameter(fixEmpty = true) final String url) throws IOException, ServletException { if (url == null) // nothing entered yet return FormValidation.ok();
src/main/java/hudson/plugins/git/browser/TFS2013GitRepositoryBrowser.java+2 −0 modified@@ -14,6 +14,7 @@ import org.eclipse.jgit.transport.RemoteConfig; import org.kohsuke.stapler.AncestorInPath; import org.kohsuke.stapler.DataBoundConstructor; +import org.kohsuke.stapler.interceptor.RequirePOST; import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; @@ -108,6 +109,7 @@ public TFS2013GitRepositoryBrowser newInstance(StaplerRequest req, @Nonnull JSON * @throws IOException on input or output error * @throws ServletException on servlet error */ + @RequirePOST public FormValidation doCheckRepoUrl(@QueryParameter(fixEmpty = true) String value, @AncestorInPath AbstractProject project) throws IOException, ServletException {
src/main/java/hudson/plugins/git/browser/ViewGitWeb.java+2 −0 modified@@ -12,6 +12,7 @@ import jenkins.model.Jenkins; import net.sf.json.JSONObject; import org.kohsuke.stapler.DataBoundConstructor; +import org.kohsuke.stapler.interceptor.RequirePOST; import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; @@ -87,6 +88,7 @@ public ViewGitWeb newInstance(StaplerRequest req, @Nonnull JSONObject jsonObject return req.bindJSON(ViewGitWeb.class, jsonObject); } + @RequirePOST public FormValidation doCheckUrl(@QueryParameter(fixEmpty = true) final String url) throws IOException, ServletException { if (url == null) // nothing entered yet return FormValidation.ok();
src/main/resources/hudson/plugins/git/browser/AssemblaWeb/config.jelly+1 −1 modified@@ -1,6 +1,6 @@ <?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"> <f:entry field="repoUrl" title="${%Assembla Git URL}"> - <f:textbox/> + <f:textbox checkMethod="post" /> </f:entry> </j:jelly>
src/main/resources/hudson/plugins/git/browser/FisheyeGitRepositoryBrowser/config.jelly+1 −1 modified@@ -1,6 +1,6 @@ <?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"> <f:entry field="repoUrl" title="${%URL}"> - <f:textbox/> + <f:textbox checkMethod="post" /> </f:entry> </j:jelly>
src/main/resources/hudson/plugins/git/browser/GitBlitRepositoryBrowser/config.jelly+1 −1 modified@@ -1,7 +1,7 @@ <?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"> <f:entry field="repoUrl" title="${%GitBlit root url}"> - <f:textbox/> + <f:textbox checkMethod="post" /> </f:entry> <f:entry field="projectName" title="${%Project name in GitBlit}"> <f:textbox/>
src/main/resources/hudson/plugins/git/browser/Gitiles/config.jelly+1 −1 modified@@ -1,6 +1,6 @@ <?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"> <f:entry field="repoUrl" title="${%URL}"> - <f:textbox/> + <f:textbox checkMethod="post" /> </f:entry> </j:jelly>
src/main/resources/hudson/plugins/git/browser/TFS2013GitRepositoryBrowser/config.jelly+1 −1 modified@@ -1,6 +1,6 @@ <?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"> <f:entry field="repoUrl" title="${%URL or name}"> - <f:textbox/> + <f:textbox checkMethod="post" /> </f:entry> </j:jelly>
src/main/resources/hudson/plugins/git/browser/ViewGitWeb/config.jelly+1 −1 modified@@ -1,7 +1,7 @@ <?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"> <f:entry field="repoUrl" title="${%ViewGit root url}"> - <f:textbox/> + <f:textbox checkMethod="post" /> </f:entry> <f:entry field="projectName" title="${%Project Name in ViewGit}"> <f:textbox/>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-53wf-vqf9-cgf2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000182ghsaADVISORY
- github.com/jenkinsci/git-plugin/commit/87a03f3d9c4a0c0a918d91e173b200a6a3b237a7ghsaWEB
- jenkins.io/security/advisory/2018-06-04/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.