Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-6rup-vv6d-eqd8
Vulnerability ID VCID-6rup-vv6d-eqd8
Aliases CVE-2024-23899
GHSA-vph5-2q33-7r9h
Summary Arbitrary file read vulnerability in Git server Plugin can lead to RCE Jenkins Git server Plugin uses the [args4j](https://github.com/kohsuke/args4j) library to parse command arguments and options on the Jenkins controller when processing Git commands received via SSH. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (`expandAtFiles`). This feature is enabled by default and Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable it. This allows attackers with Overall/Read permission to read the first two lines of arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process. See [SECURITY-3314](https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314) for further information about the potential impact of being able to read files on the Jenkins controller, as well as the [limitations for reading binary files](https://www.jenkins.io/security/advisory/2024-01-24/#binary-files-note). Note that for this issue, unlike SECURITY-3314, attackers need Overall/Read permission. ## Fix Description Git server Plugin 99.101.v720e86326c09 disables the command parser feature that replaces an @ character followed by a file path in an argument with the file’s contents for CLI commands. ## Workaround Navigate to Manage Jenkins » Security and ensure that the SSHD Port setting in the SSH Server section is set to Disable. This disables access to Git repositories hosted by Jenkins (and the Jenkins CLI) via SSH.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
System Score Found at
cvssv3 8.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-23899.json
epss 0.00494 https://api.first.org/data/v1/epss?cve=CVE-2024-23899
epss 0.00494 https://api.first.org/data/v1/epss?cve=CVE-2024-23899
epss 0.00494 https://api.first.org/data/v1/epss?cve=CVE-2024-23899
epss 0.00494 https://api.first.org/data/v1/epss?cve=CVE-2024-23899
epss 0.00494 https://api.first.org/data/v1/epss?cve=CVE-2024-23899
epss 0.00494 https://api.first.org/data/v1/epss?cve=CVE-2024-23899
epss 0.00494 https://api.first.org/data/v1/epss?cve=CVE-2024-23899
epss 0.00494 https://api.first.org/data/v1/epss?cve=CVE-2024-23899
epss 0.00494 https://api.first.org/data/v1/epss?cve=CVE-2024-23899
epss 0.00494 https://api.first.org/data/v1/epss?cve=CVE-2024-23899
epss 0.00494 https://api.first.org/data/v1/epss?cve=CVE-2024-23899
epss 0.00494 https://api.first.org/data/v1/epss?cve=CVE-2024-23899
epss 0.00494 https://api.first.org/data/v1/epss?cve=CVE-2024-23899
epss 0.00494 https://api.first.org/data/v1/epss?cve=CVE-2024-23899
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-vph5-2q33-7r9h
cvssv3.1 8.8 https://github.com/jenkinsci/git-server-plugin
generic_textual HIGH https://github.com/jenkinsci/git-server-plugin
cvssv3.1 8.8 https://github.com/jenkinsci/git-server-plugin/commit/068ac7cc2574882ef9f5a486e001228a71d881ad
generic_textual HIGH https://github.com/jenkinsci/git-server-plugin/commit/068ac7cc2574882ef9f5a486e001228a71d881ad
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2024-23899
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2024-23899
cvssv3.1 6.5 https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3319
cvssv3.1 8.8 https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3319
generic_textual HIGH https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3319
ssvc Track https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3319
cvssv3.1 6.5 http://www.openwall.com/lists/oss-security/2024/01/24/6
cvssv3.1 8.8 http://www.openwall.com/lists/oss-security/2024/01/24/6
generic_textual HIGH http://www.openwall.com/lists/oss-security/2024/01/24/6
ssvc Track http://www.openwall.com/lists/oss-security/2024/01/24/6
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-23899.json
https://api.first.org/data/v1/epss?cve=CVE-2024-23899
https://github.com/jenkinsci/git-server-plugin
https://github.com/jenkinsci/git-server-plugin/commit/068ac7cc2574882ef9f5a486e001228a71d881ad
https://nvd.nist.gov/vuln/detail/CVE-2024-23899
https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3319
http://www.openwall.com/lists/oss-security/2024/01/24/6
2260183 https://bugzilla.redhat.com/show_bug.cgi?id=2260183
GHSA-vph5-2q33-7r9h https://github.com/advisories/GHSA-vph5-2q33-7r9h
RHSA-2024:3634 https://access.redhat.com/errata/RHSA-2024:3634
RHSA-2024:3635 https://access.redhat.com/errata/RHSA-2024:3635
RHSA-2024:3636 https://access.redhat.com/errata/RHSA-2024:3636
RHSA-2024:4597 https://access.redhat.com/errata/RHSA-2024:4597
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-23899.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/jenkinsci/git-server-plugin
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/jenkinsci/git-server-plugin/commit/068ac7cc2574882ef9f5a486e001228a71d881ad
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-23899
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3319
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3319
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-25T15:28:24Z/ Found at https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3319
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2024/01/24/6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2024/01/24/6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-25T15:28:24Z/ Found at http://www.openwall.com/lists/oss-security/2024/01/24/6
Exploit Prediction Scoring System (EPSS)
Percentile 0.65699
EPSS Score 0.00494
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:49:55.574578+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-vph5-2q33-7r9h/GHSA-vph5-2q33-7r9h.json 38.0.0