PT-2024-25717 · Jenkins · Jenkins Git Server Plugin+1
Daniel Beck
·
Published
2024-05-02
·
Updated
2025-10-10
·
CVE-2024-34146
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Git server Plugin versions 114.v068a c7cc2574 and earlier
Description
The issue is related to a lack of permission check for read access to a Git repository over SSH. Attackers with a previously configured SSH public key but lacking Overall/Read permission can access these repositories. This allows unauthorized access to Git repositories.
Recommendations
For Jenkins Git server Plugin versions 114.v068a c7cc2574 and earlier, update to a version that requires Overall/Read permission to access Git repositories over SSH, such as version 117.veb 68868fa 027. As a temporary workaround, consider restricting SSH access to Git repositories or ensuring that all users with configured SSH public keys have Overall/Read permission.
Fix
Incorrect Authorization
Missing Authorization
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jenkins
Jenkins Git Server Plugin