Headline
GHSA-vph5-2q33-7r9h: Arbitrary file read vulnerability in Git server Plugin can lead to RCE
Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an ‘@’ character followed by a file path in an argument with the file’s contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system.
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-23899
Arbitrary file read vulnerability in Git server Plugin can lead to RCE
High severity GitHub Reviewed Published Jan 24, 2024 to the GitHub Advisory Database • Updated Jan 24, 2024
Package
maven org.jenkins-ci.plugins:git-server (Maven)
Affected versions
< 99.101.v720e86326c09
Patched versions
99.101.v720e86326c09
Description
Published to the GitHub Advisory Database
Jan 24, 2024
Last updated
Jan 24, 2024
Related news
Red Hat Security Advisory 2024-4597-03 - An update for OpenShift Jenkins is now available for Red Hat Product OCP Tools 4.15. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include bypass and traversal vulnerabilities.