Advisories for Maven/Org.jenkins-Ci.plugins/Git-Server package

2024

Jenkins Git server Plugin does not perform a permission check

Jenkins Git server Plugin 114.v068a_c7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH. This allows attackers with a previously configured SSH public key but lacking Overall/Read permission to access Git repositories. Git server Plugin 117.veb_68868fa_027 requires Overall/Read permission to access Git repositories over SSH.

Arbitrary file read vulnerability in Git server Plugin can lead to RCE

Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system.