Miggo Logo
Miggo Vulnerability Database
CVE-2024-34146

CVE-2024-34146: Jenkins Git server Plugin does not perform a permission check

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-34146
GHSA ID
GHSA-xh9c-vcf9-h94m
EPSS Score
0.26985%
CWE
CWE-269
Published
5/2/2024
Updated
7/3/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:git-servermaven< 117.veb117.veb

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing permission checks in SSH Git operations. The primary vulnerable function would be the SSH command handler (SshCommandFactory.createCommand) that processes incoming requests without security validation. The Repository.serveCommand is included as it's the likely execution point for Git operations that required added permission checks. These conclusions are based on Jenkins plugin architecture patterns and the advisory's description of the security fix adding permission requirements at the SSH access layer.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *it s*rv*r Plu*in ***.v****_******** *n* **rli*r *o*s not p*r*orm * p*rmission ****k *or r*** ****ss to * *it r*pository ov*r SS*. T*is *llows *tt**k*rs wit* * pr*viously *on*i*ur** SS* pu*li* k*y *ut l**kin* Ov*r*ll/R*** p*rmission to ****s

Reasoning

T** vuln*r**ility st*ms *rom missin* p*rmission ****ks in SS* *it op*r*tions. T** prim*ry vuln*r**l* *un*tion woul* ** t** SS* *omm*n* **n*l*r (Ss**omm*n****tory.*r**t**omm*n*) t**t pro**ss*s in*omin* r*qu*sts wit*out s**urity v*li**tion. T** R*posit