{"id":"CVE-2025-58458","details":"In Jenkins Git client Plugin 6.3.2 and earlier, except 6.1.4 and 6.2.1, Git URL field form validation responses differ based on whether the specified file path exists on the controller when specifying `amazon-s3` protocol for use with JGit, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.","aliases":["GHSA-g2pq-9jr7-w6gv"],"modified":"2026-04-10T05:32:53.285079Z","published":"2025-09-03T15:15:39.520Z","references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2025/09/03/4"},{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2025-09-03/#SECURITY-3590"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/git-client-plugin","events":[{"introduced":"0"},{"last_affected":"9d423899843347b3d5de94002605aa03258b64ab"},{"introduced":"08d7fbd2397f076162c2f0e5f975256a4e9f6bfb"},{"last_affected":"e59c76121b6515f9bc3aab85ccb822147c944690"},{"introduced":"0"},{"last_affected":"67460d2398b11360d1568240b697aeaf510f5d35"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"6.1.3"},{"introduced":"6.3.0"},{"last_affected":"6.3.2"},{"introduced":"0"},{"last_affected":"6.2.0"}]}}],"versions":["git-client-1.0.0","git-client-1.0.1","git-client-1.0.2","git-client-1.0.4","git-client-1.0.5","git-client-1.0.6","git-client-1.1","git-client-1.1.1","git-client-1.1.2","git-client-1.10.0","git-client-1.10.1","git-client-1.10.2","git-client-1.11.0","git-client-1.11.1","git-client-1.12.0","git-client-1.13.0","git-client-1.14.0","git-client-1.14.1","git-client-1.15.0","git-client-1.16.0","git-client-1.16.1","git-client-1.17.0","git-client-1.18.0","git-client-1.19.0","git-client-1.19.1","git-client-1.19.2","git-client-1.19.3","git-client-1.19.4","git-client-1.19.5","git-client-1.19.6","git-client-1.19.7","git-client-1.2.0","git-client-1.20.0","git-client-1.20.1","git-client-1.20.2","git-client-1.21.0","git-client-1.3.0","git-client-1.4.0","git-client-1.4.1","git-client-1.4.2","git-client-1.4.3","git-client-1.4.4","git-client-1.5.0","git-client-1.5.1","git-client-1.6.0","git-client-1.6.1","git-client-1.6.2","git-client-1.6.3","git-client-1.6.4","git-client-1.6.5","git-client-1.6.6","git-client-1.7.0","git-client-1.8.0","git-client-1.8.1","git-client-1.9.0","git-client-1.9.1","git-client-1.9.2","git-client-2.1.0","git-client-2.2.0","git-client-2.2.1","git-client-2.3.0","git-client-2.4.0","git-client-2.4.1","git-client-2.4.2","git-client-2.4.3","git-client-2.4.4","git-client-2.4.5","git-client-2.4.6","git-client-2.5.0","git-client-2.6.0","git-client-2.7.0","git-client-2.7.1","git-client-3.0.0","git-client-3.0.0-beta1","git-client-3.0.0-beta10","git-client-3.0.0-beta11","git-client-3.0.0-beta12","git-client-3.0.0-beta2","git-client-3.0.0-beta3","git-client-3.0.0-beta4","git-client-3.0.0-beta5","git-client-3.0.0-beta7","git-client-3.0.0-beta8","git-client-3.0.0-beta9","git-client-3.0.0-rc","git-client-3.1.0","git-client-3.1.0-beta","git-client-3.1.1","git-client-3.10.0","git-client-3.10.1","git-client-3.11.0","git-client-3.12.0","git-client-3.12.1","git-client-3.13.0","git-client-3.13.1","git-client-3.2.0","git-client-3.2.1","git-client-3.3.0","git-client-3.3.1","git-client-3.3.2","git-client-3.4.0","git-client-3.4.1","git-client-3.4.2","git-client-3.5.0","git-client-3.5.1","git-client-3.6.0","git-client-3.7.0","git-client-3.7.1","git-client-3.7.2","git-client-3.8.0","git-client-3.9.0","git-client-4.0.0","git-client-4.1.0","git-client-4.2.0","git-client-4.3.0","git-client-4.4.0","git-client-4.5.0","git-client-4.6.0","git-client-4.7.0","git-client-5.0.0","git-client-6.0.0","git-client-6.1.0","git-client-6.1.1","git-client-6.1.2","git-client-6.1.3","git-client-6.2.0","git-client-6.3.0","git-client-6.3.1","git-client-6.3.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-58458.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}