CVE-2025-58458 – org.jenkins-ci.plugins:git-client

Package

Manager: maven
Name: org.jenkins-ci.plugins:git-client
Vulnerable Version: >=0 <6.3.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00027 pctl0.06027

Details

Jenkins Git client Plugin file system information disclosure vulnerability In Jenkins Git client Plugin 6.3.2 and earlier, Git URL field form validation responses differ based on whether the specified file path exists on the controller when specifying `amazon-s3` protocol for use with JGit, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Metadata

Created: 2025-09-03T15:30:34Z
Modified: 2025-09-03T22:22:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-g2pq-9jr7-w6gv/GHSA-g2pq-9jr7-w6gv.json
CWE IDs: ["CWE-200", "CWE-538"]
Alternative ID: GHSA-g2pq-9jr7-w6gv
Finding: F009
Auto approve: 1