A missing permission check in Jenkins Git Parameter Plugin version 462.vdcf3df2ed2ca_ and earlier allows an attacker who has Item/Read permission to gain access to sensitive information about the source code management repository used by a Jenkins job. This information includes branch names, tag names, and revision identifiers. The vulnerability is a classic lack of authorization control, which could enable attackers to enumerate repository details and potentially identify sensitive code or facilitate further exploits. The affected code does not enforce proper access checks, thereby exposing internal repository details to any user who can read job configuration or build metadata.

The vulnerability affects the Jenkins Project’s Git Parameter Plugin, specifically any installation that is at or below version 462.vdcf3df2ed2ca_. Users running the plugin in older releases are at risk. Upgrading to a newer released version that includes the missing permission check is required to remediate this flaw. No other vendor products are directly impacted.

Because the exploitation only requires Item/Read permission, which is often granted to many users in a Jenkins environment, the attack vector is effectively local to anyone who can authenticate to the Jenkins instance. The CVSS score of 4.3 reflects moderate severity, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that, while the potential impact is real, the likelihood of an immediate widespread exploit is uncertain. Nonetheless, any user with read access to a job can enumerate the underlying repository, so the risk warrants prompt mitigation.