GHSA-qcj2-99cg-mppf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qcj2-99cg-mppf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-qcj2-99cg-mppf/GHSA-qcj2-99cg-mppf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qcj2-99cg-mppf
- Aliases
- Published
- 2025-07-09T18:30:45Z
- Modified
- 2025-11-05T20:33:14.305109Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Jenkins Git Parameter Plugin vulnerable to code injection due to inexhaustive parameter check
- Details
-
Jenkins Git Parameter Plugin implements a choice build parameter that lists the configured Git SCM’s branches, tags, pull requests, and revisions.
Git Parameter Plugin 439.vb0e46ca14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices.
This allows attackers with Item/Build permission to inject arbitrary values into Git parameters.
Git Parameter Plugin 444.vcab84d3703c2 validates that the Git parameter value submitted to the build matches one of the offered choices.
- Database specific
{ "github_reviewed_at": "2025-07-09T20:47:01Z", "nvd_published_at": "2025-07-09T16:15:24Z", "severity": "MODERATE", "cwe_ids": [ "CWE-1287", "CWE-20" ], "github_reviewed": true }- References
Affected packages
Maven / org.jenkins-ci.tools:git-parameter
Package
- Name
- org.jenkins-ci.tools:git-parameter
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.tools/git-parameter
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed444.vca