opensearch-build
opensearch-build copied to clipboard
opensearch-project
CVE-2024-23899 (Medium) detected in git-server-1.11.jar
CVE-2024-23899 - Medium Severity Vulnerability
Vulnerable Library - git-server-1.11.jar
This library plugin provides embedded Git server capability inside Jenkins
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/git-server/1.11/23a663a8c44397c631b068932fe92f2615ac04c4/git-server-1.11.jar
Dependency Hierarchy:
- :x: git-server-1.11.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system.
Publish Date: 2024-01-24
URL: CVE-2024-23899
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3319
Release Date: 2024-01-24
Fix Resolution: org.jenkins-ci.plugins:git-server:99.101.v720e86326c09
- [ ] Check this box to open an automated fix PR
![mend-for-github-com[bot] avatar](https://avatars.githubusercontent.com/in/30796?v=4 "Published by a pub.dev verified publisher"){kind=small}
I drafted a PR to test CVE fixes with the suggested fix but has to close it as it will remediate 6 vulnerabilities, but introduce 4 new vulnerabilities.
