CVE-2025-58458

EPSS 0.17%
Published 03.09.2025 15:02:26
Last modified 08.09.2025 17:14:19
Source jenkinsci-cert@googlegroups.co
Teams watchlist Login
Open Login

In Jenkins Git client Plugin 6.3.2 and earlier, except 6.1.4 and 6.2.1, Git URL field form validation responses differ based on whether the specified file path exists on the controller when specifying `amazon-s3` protocol for use with JGit, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Affected products Warnungen 0 Metrics 2 CWE 2 References 4

Data is provided by the National Vulnerability Database (NVD)

Jenkins ≫ Git Client SwPlatformjenkins Version <= 6.1.3

Jenkins ≫ Git Client SwPlatformjenkins Version >= 6.3.0 <= 6.3.2

Jenkins ≫ Git Client Version6.2.0 SwPlatformjenkins

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.17%	0.387

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
134c704f-9b21-4f2e-91b3-4a467353bcc0	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

https://www.jenkins.io/security/advisory/2025-09-03/#SECURITY-3590

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-58458

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-58458

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-58458

EUVD