Miggo Logo

CVE-2024-34146: Jenkins Git server Plugin does not perform a permission check

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.26985%
Published
5/2/2024
Updated
7/3/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:git-servermaven< 117.veb117.veb

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing permission checks in SSH Git operations. The primary vulnerable function would be the SSH command handler (SshCommandFactory.createCommand) that processes incoming requests without security validation. The Repository.serveCommand is included as it's the likely execution point for Git operations that required added permission checks. These conclusions are based on Jenkins plugin architecture patterns and the advisory's description of the security fix adding permission requirements at the SSH access layer.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *it s*rv*r Plu*in ***.v****_******** *n* **rli*r *o*s not p*r*orm * p*rmission ****k *or r*** ****ss to * *it r*pository ov*r SS*. T*is *llows *tt**k*rs wit* * pr*viously *on*i*ur** SS* pu*li* k*y *ut l**kin* Ov*r*ll/R*** p*rmission to ****s

Reasoning

T** vuln*r**ility st*ms *rom missin* p*rmission ****ks in SS* *it op*r*tions. T** prim*ry vuln*r**l* *un*tion woul* ** t** SS* *omm*n* **n*l*r (Ss**omm*n****tory.*r**t**omm*n*) t**t pro**ss*s in*omin* r*qu*sts wit*out s**urity v*li**tion. T** R*posit