CVE-2025-58458

EPSS 0.17%
Veröffentlicht 03.09.2025 15:02:26
Zuletzt bearbeitet 08.09.2025 17:14:19
Quelle jenkinsci-cert@googlegroups.co
Teams Watchlist Login
Unerledigt Login

In Jenkins Git client Plugin 6.3.2 and earlier, except 6.1.4 and 6.2.1, Git URL field form validation responses differ based on whether the specified file path exists on the controller when specifying `amazon-s3` protocol for use with JGit, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Jenkins ≫ Git Client SwPlatformjenkins Version <= 6.1.3

Jenkins ≫ Git Client SwPlatformjenkins Version >= 6.3.0 <= 6.3.2

Jenkins ≫ Git Client Version6.2.0 SwPlatformjenkins

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.387

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

https://www.jenkins.io/security/advisory/2025-09-03/#SECURITY-3590

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-58458

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-58458

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-58458

EUVD