CVE-2024-23899

Name of the Vulnerable Software and Affected Versions Jenkins Git server Plugin versions 99.va 0826a b cdfa d and earlier

Description The issue is related to the command parser feature in the Jenkins Git server Plugin that replaces an '@' character followed by a file path in an argument with the file's contents. This allows attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited.

Recommendations For Jenkins Git server Plugin versions 99.va 0826a b cdfa d and earlier, update to version 99.101.v720e86326c09 or later to disable the command parser feature that replaces an '@' character followed by a file path in an argument with the file’s contents. As a temporary workaround, navigate to Manage Jenkins » Security and ensure that the SSHD Port setting in the SSH Server section is set to Disable to prevent access to Git repositories hosted by Jenkins via SSH.