Login Sign Up

CVE-2024-34146

6.5 MEDIUM
Authentication Bypass

📋 TL;DR

The Jenkins Git server Plugin vulnerability allows attackers with a previously configured SSH public key but lacking Overall/Read permission to access Git repositories over SSH. This affects Jenkins instances using the Git server Plugin version 114.v068a_c7cc2574 and earlier. Attackers can read repository contents they shouldn't have access to.

💻 Affected Systems

Products:
  • Jenkins Git server Plugin
Versions: 114.v068a_c7cc2574 and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Jenkins instances using the Git server Plugin with SSH access configured.

📦 What is this software?

Git Server by Jenkins

View all CVEs affecting Git Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive source code, credentials, or proprietary information from Git repositories is exfiltrated by unauthorized users.

🟠

Likely Case

Unauthorized users with SSH keys access repositories containing internal code or configuration files.

🟢

If Mitigated

Minimal impact if SSH key management is strict and repositories contain no sensitive data.

🌐 Internet-Facing: MEDIUM - Requires SSH access to Jenkins, which may be internet-facing in some deployments.
🏢 Internal Only: HIGH - Internal attackers with SSH keys can bypass permission checks to access repositories.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW - Requires only SSH access with a configured key.

Exploitation requires a previously configured SSH public key on the Jenkins instance.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 115.vfec9a_4b_e82c33 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3342

Restart Required: Yes

Instructions:

1. Update Jenkins Git server Plugin to version 115.vfec9a_4b_e82c33 or later via Jenkins Plugin Manager. 2. Restart Jenkins after update.

🔧 Temporary Workarounds

Disable SSH access to Git repositories

all

Remove or restrict SSH configuration for Git server Plugin if not required.

Review and remove unnecessary SSH keys

all

Audit and remove SSH public keys from Jenkins that are not strictly needed.

🧯 If You Can't Patch

  • Restrict SSH access to Jenkins Git server to trusted IPs only.
  • Implement network segmentation to isolate Jenkins Git server from untrusted users.

🔍 How to Verify

Check if Vulnerable:

Check Jenkins Plugin Manager for Git server Plugin version. If version is 114.v068a_c7cc2574 or earlier, it is vulnerable.

Check Version:

In Jenkins web UI: Manage Jenkins > Plugin Manager > Installed plugins, find 'Git server Plugin'.

Verify Fix Applied:

Verify Git server Plugin version is 115.vfec9a_4b_e82c33 or later in Jenkins Plugin Manager.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SSH access patterns to Jenkins Git repositories from unauthorized users.

Network Indicators:

  • SSH connections to Jenkins Git server from unexpected sources.

SIEM Query:

source="jenkins" AND "ssh" AND "git" AND (event="access" OR event="repository")

📊 Metadata

CVE ID: CVE-2024-34146
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-269
Published: May 2, 2024
Last Updated: October 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34146, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)