Description
A missing permission check in Jenkins GitHub Branch Source Plugin 1967.1969.v205fd594c821 and earlier allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise servers configured in the global plugin configuration.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Jenkins GitHub Branch Source Plugin version 1967.1969.v205fd594c821 and earlier contain a missing permission check that permits any user with Overall/Read permission to retrieve the URLs of GitHub Enterprise servers configured in the global plugin configuration. This disclosure reveals internal server addresses, potentially exposing sensitive infrastructure details and aiding attackers in mapping or targeting an organization's GitHub Enterprise environment. The weakness corresponds to improper access control and missing authorization controls as identified by CWE-425 and CWE-862.

Affected Systems

The vulnerability affects Jenkins installations that employ the GitHub Branch Source Plugin up to and including version 1967.1969.v205fd594c821. Any Jenkins instance with this plugin configured to connect to one or more GitHub Enterprise servers is at risk. Organizations using the plugin for source code integration should review the plugin version and confirm whether it remains within the affected range.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate confidentiality impact and low to moderate risk when combined with the absence of an EPSS score or KEV listing. The attack vector is limited to users who already possess Overall/Read permission; the vulnerability does not require elevated rights or exploitation of additional components. Attackers can exploit this weakness merely by accessing the standard plugin configuration page in Jenkins, which is generally available to any trusted user, allowing them to list the internal GitHub Enterprise server URLs. Because the exploit is straightforward and requires no special conditions, the risk remains notable for organizations with broad read permissions or poorly segmented user roles.

Generated by OpenCVE AI on June 25, 2026 at 04:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jenkins GitHub Branch Source Plugin to any version that is newer than 1967.1969.v205fd594c821.
  • Enforce stricter ACLs by removing Overall/Read permission from users who do not need to view the global plugin configuration, limiting view rights to administrators or specifically defined groups.
  • Conduct a review of all Jenkins instances using the plugin to confirm that plugin configuration is not exposed to read‑only users, and consider using Jenkins project‑level security or a custom script to audit configuration visibility.

Generated by OpenCVE AI on June 25, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Missing Permission Check Exposes GitHub Enterprise Server URLs in Jenkins GitHub Branch Source Plugin Jenkins GitHub Branch Source Plugin: Jenkins GitHub Branch Source Plugin: Information disclosure via missing permission check
Weaknesses CWE-425
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Github Branch Source Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Github Branch Source Plugin

Wed, 24 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Missing Permission Check Exposes GitHub Enterprise Server URLs in Jenkins GitHub Branch Source Plugin
Weaknesses CWE-284

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description A missing permission check in Jenkins GitHub Branch Source Plugin 1967.1969.v205fd594c821 and earlier allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise servers configured in the global plugin configuration.
References

Subscriptions

Jenkins Project Jenkins Github Branch Source Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T14:02:32.219Z

Reserved: 2026-06-24T08:41:44.357Z

Link: CVE-2026-57285

cve-icon Vulnrichment

Updated: 2026-06-24T14:02:28.337Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T13:20:06Z

Links: CVE-2026-57285 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T04:30:07Z

Weaknesses
  • CWE-425

    Direct Request ('Forced Browsing')

  • CWE-862

    Missing Authorization