Advisory Database
  • Advisories
  • Dependency Scanning
  1. maven
  2. ›
  3. org.jenkins-ci.plugins/git-client
  4. ›
  5. CVE-2025-58458

CVE-2025-58458: Jenkins Git client Plugin file system information disclosure vulnerability

September 3, 2025

In Jenkins Git client Plugin 6.3.2 and earlier, Git URL field form validation responses differ based on whether the specified file path exists on the controller when specifying amazon-s3 protocol for use with JGit, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

References

  • github.com/advisories/GHSA-g2pq-9jr7-w6gv
  • github.com/jenkinsci/git-client-plugin
  • github.com/jenkinsci/git-client-plugin/commit/20090a86c3ebc72e5283c882de73e3a4459137bb
  • nvd.nist.gov/vuln/detail/CVE-2025-58458
  • www.jenkins.io/security/advisory/2025-09-03/

Code Behaviors & Features

Detect and mitigate CVE-2025-58458 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 6.3.3

Fixed versions

  • 6.3.3

Solution

Upgrade to version 6.3.3 or above.

Impact 4.3 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Learn more about CVSS

Weakness

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory

Source file

maven/org.jenkins-ci.plugins/git-client/CVE-2025-58458.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Fri, 05 Sep 2025 12:18:14 +0000.