CVE-2024-23899

2024-01-2418:15:09

jenkins

web.nvd.nist.gov

cve-2024-23899

jenkins

git server plugin

arbitrary file read

security vulnerability

nvd

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

18.1%

JSON

Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an ‘@’ character followed by a file path in an argument with the file’s contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system.

Affected configurations

Nvd

Node

jenkinsgit_serverRange≤99.va_0826a_b_cdfa_djenkins

VendorProductVersionCPE
jenkinsgit_server*cpe:2.3:a:jenkins:git_server:*:*:*:*:*:jenkins:*:*

Vendor	Product	Version	CPE
jenkins	git_server	*	cpe:2.3:a:jenkins:git_server::::::jenkins::*

CNA Affected

[
  {
    "vendor": "Jenkins Project",
    "product": "Jenkins Git server Plugin",
    "versions": [
      {
        "version": "0",
        "versionType": "maven",
        "lessThanOrEqual": "99.va_0826a_b_cdfa_d",
        "status": "affected"
      }
    ],
    "defaultStatus": "unaffected"
  }
]