CVE-2025-58458 — Sensitive Information Exposure in Jenkins GIT Client

CWE-200 — Sensitive Information Exposure CWE-538 — Insertion of Sensitive Information into Externally-Accessible File or Directory5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 82.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins GIT Client

Timeline

PublishedSep 3

Description

In Jenkins Git client Plugin 6.3.2 and earlier, except 6.1.4 and 6.2.1, Git URL field form validation responses differ based on whether the specified file path exists on the controller when specifying `amazon-s3` protocol for use with JGit, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶NVDjenkins/git_client6.3.0 — 6.3.2+2

🔴Vulnerability Details

GHSA

Jenkins Git client Plugin file system information disclosure vulnerability↗2025-09-03

▶

CVEList

CVE-2025-58458: In Jenkins Git client Plugin 6↗2025-09-03

▶

OSV

Jenkins Git client Plugin file system information disclosure vulnerability↗2025-09-03

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2025-09-03↗2025-09-03

▶