Lucene search

GoogleOSV:GHSA-XH9C-VCF9-H94M

HistoryMay 02, 2024 - 3:30 p.m.

Jenkins Git server Plugin does not perform a permission check

2024-05-0215:30:35

Google

osv.dev

jenkins

git

permission

vulnerability

ssh

access

software

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.5

Confidence

High

EPSS

Percentile

9.0%

JSON

Jenkins Git server Plugin 114.v068a_c7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH.

This allows attackers with a previously configured SSH public key but lacking Overall/Read permission to access Git repositories.

Git server Plugin 117.veb_68868fa_027 requires Overall/Read permission to access Git repositories over SSH.

References

www.openwall.com/lists/oss-security/2024/05/02/3

nvd.nist.gov/vuln/detail/CVE-2024-34146

www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3342

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.5

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for OSV:GHSA-XH9C-VCF9-H94M