Primary

Context

Jenkins Git Client Plugin File System Information Disclosure Vulnerability

Vulnerability

Patched

A file system information disclosure vulnerability exists in the Jenkins Git Client Plugin in versions through 6.3.2. When the 'amazon-s3' protocol is used with JGit, the Git URL field validation responses can reveal whether a specified file path exists on the Jenkins controller's file system. This vulnerability allows attackers with Overall/Read permission to check for the existence of files, potentially leading to unauthorized information disclosure.

Impact

Exploitation of this vulnerability could allow an attacker to determine the existence of specific file paths on the Jenkins controller, which could be used for further exploitation or information gathering.

Remediation

Users of the Git Client Plugin should update to version 6.3.3, which removes the 'amazon-s3' protocol option. Instructions for updating Jenkins plugins can be found in the Jenkins documentation.

Added: Sep 3, 2025, 3:52 PM

Updated: Sep 3, 2025, 4:22 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

0.6

exploitability

5.2

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

0.6

exploitability

5.2

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jenkins Git Client Plugin File System Information Disclosure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Jenkins Git client Plugin

Jenkins global-build-stats Plugin

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating