CVE-2024-23899 (Medium) detected in git-server-1.11.jar #4405
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
|
I drafted a PR to test CVE fixes with the suggested fix but has to close it as it will remediate 6 vulnerabilities, but introduce 4 new vulnerabilities. |
getsaurabh02
moved this from 🆕 New
to Later (6 months plus)
in Engineering Effectiveness Board
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2024-23899 - Medium Severity Vulnerability
This library plugin provides embedded Git server capability inside Jenkins
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/git-server/1.11/23a663a8c44397c631b068932fe92f2615ac04c4/git-server-1.11.jar
Dependency Hierarchy:
Found in base branch: main
Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system.
Publish Date: 2024-01-24
URL: CVE-2024-23899
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3319
Release Date: 2024-01-24
Fix Resolution: org.jenkins-ci.plugins:git-server:99.101.v720e86326c09
The text was updated successfully, but these errors were encountered: