Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/git-server/1.10/e24b71bfe330ea7cfbc1ecc1e1cfa35ebc1e9956/git-server-1.10.jar
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/git-server/1.10/e24b71bfe330ea7cfbc1ecc1e1cfa35ebc1e9956/git-server-1.10.jar
Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system.
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/git-server/1.10/e24b71bfe330ea7cfbc1ecc1e1cfa35ebc1e9956/git-server-1.10.jar
Jenkins Git server Plugin 114.v068a_c7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH, allowing attackers with a previously configured SSH public key but lacking Overall/Read permission to access these repositories.
This library plugin provides embedded Git server capability inside Jenkins
Library home page: https://github.com/jenkinsci/git-server-plugin
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/git-server/1.10/e24b71bfe330ea7cfbc1ecc1e1cfa35ebc1e9956/git-server-1.10.jar
Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-23899
### Vulnerable Library - git-server-1.10.jarThis library plugin provides embedded Git server capability inside Jenkins
Library home page: https://github.com/jenkinsci/git-server-plugin
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/git-server/1.10/e24b71bfe330ea7cfbc1ecc1e1cfa35ebc1e9956/git-server-1.10.jar
Dependency Hierarchy: - :x: **git-server-1.10.jar** (Vulnerable Library)
Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e
Found in base branch: main
### Vulnerability DetailsJenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system.
Publish Date: 2024-01-24
URL: CVE-2024-23899
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3319
Release Date: 2024-01-24
Fix Resolution: org.jenkins-ci.plugins:git-server:99.101.v720e86326c09
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-34146
### Vulnerable Library - git-server-1.10.jarThis library plugin provides embedded Git server capability inside Jenkins
Library home page: https://github.com/jenkinsci/git-server-plugin
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/git-server/1.10/e24b71bfe330ea7cfbc1ecc1e1cfa35ebc1e9956/git-server-1.10.jar
Dependency Hierarchy: - :x: **git-server-1.10.jar** (Vulnerable Library)
Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e
Found in base branch: main
### Vulnerability DetailsJenkins Git server Plugin 114.v068a_c7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH, allowing attackers with a previously configured SSH public key but lacking Overall/Read permission to access these repositories.
Publish Date: 2024-05-02
URL: CVE-2024-34146
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-34146
Release Date: 2024-05-02
Fix Resolution: org.jenkins-ci.plugins:git-server:117.veb_68868fa_027
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.