CVE-2025-58458

Summary

In Jenkins Git client Plugin 6.3.2 and earlier, except 6.1.4 and 6.2.1, Git URL field form validation responses differ based on whether the specified file path exists on the controller when specifying amazon-s3 protocol for use with JGit, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Affected Software

VendorProductVersion RangeStatus
Jenkins ProjectJenkins Git client Plugin6.3.3 < *unaffected
Jenkins ProjectJenkins Git client Plugin6.1.4 < 6.1.*unaffected
Jenkins ProjectJenkins Git client Plugin6.2.1 < 6.2.*unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References