Vulnerability Description
Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Git Server | <= 99.va_0826a_b_cdfa_d |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2024/01/24/6Mailing ListThird Party Advisory
- https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3319Vendor Advisory
- http://www.openwall.com/lists/oss-security/2024/01/24/6Mailing ListThird Party Advisory
- https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3319Vendor Advisory
FAQ
What is CVE-2024-23899?
CVE-2024-23899 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's conten...
How severe is CVE-2024-23899?
CVE-2024-23899 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-23899?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Git Server.