Advisories for Maven/Org.jenkins-Ci.plugins/Git-Client package

2025

Jenkins Git client Plugin file system information disclosure vulnerability

In Jenkins Git client Plugin 6.3.2 and earlier, Git URL field form validation responses differ based on whether the specified file path exists on the controller when specifying amazon-s3 protocol for use with JGit, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

2022

Key Exchange without Entity Authentication

Jenkins Git client Plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins Git Client Plugin 2.8.4 and earlier and 3.0.0-rc does not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection.

Exposure of Sensitive Information to an Unauthorized Actor

Jenkins Git Client Plugin 2.4.2 and earlier creates temporary file with insecure permissions resulting in information disclosure