git-server-1.10.jar: 2 vulnerabilities (highest severity is: 6.5) #370
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github.aaakk.us.kg
bot
added
the
Mend: dependency security vulnerability
mend-for-github.aaakk.us.kg
bot
changed the title
mend-for-github.aaakk.us.kg
bot
changed the title
getsaurabh02
moved this from 🆕 New
to Later (6 months plus)
in Engineering Effectiveness Board
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This library plugin provides embedded Git server capability inside Jenkins
Library home page: https://github.com/jenkinsci/git-server-plugin
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/git-server/1.10/e24b71bfe330ea7cfbc1ecc1e1cfa35ebc1e9956/git-server-1.10.jar
Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - git-server-1.10.jar
This library plugin provides embedded Git server capability inside Jenkins
Library home page: https://github.com/jenkinsci/git-server-plugin
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/git-server/1.10/e24b71bfe330ea7cfbc1ecc1e1cfa35ebc1e9956/git-server-1.10.jar
Dependency Hierarchy:
Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e
Found in base branch: main
Vulnerability Details
Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system.
Publish Date: 2024-01-24
URL: CVE-2024-23899
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3319
Release Date: 2024-01-24
Fix Resolution: org.jenkins-ci.plugins:git-server:99.101.v720e86326c09
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - git-server-1.10.jar
This library plugin provides embedded Git server capability inside Jenkins
Library home page: https://github.com/jenkinsci/git-server-plugin
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/git-server/1.10/e24b71bfe330ea7cfbc1ecc1e1cfa35ebc1e9956/git-server-1.10.jar
Dependency Hierarchy:
Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e
Found in base branch: main
Vulnerability Details
Jenkins Git server Plugin 114.v068a_c7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH, allowing attackers with a previously configured SSH public key but lacking Overall/Read permission to access these repositories.
Publish Date: 2024-05-02
URL: CVE-2024-34146
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-34146
Release Date: 2024-05-02
Fix Resolution: org.jenkins-ci.plugins:git-server:117.veb_68868fa_027
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: