CVE-2024-23899: 
Java vulnerability analysis and mitigation

CVE-2024-23899 affects the Jenkins Git server Plugin versions 99.va_0826a_b_cdfa_d and earlier. The vulnerability stems from a command parser feature that fails to disable the replacement of '@' characters followed by file paths with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system (Jenkins Advisory, NVD).

The vulnerability exists in the Git server Plugin's use of the args4j library for parsing command arguments and options on the Jenkins controller when processing Git commands received via SSH. The command parser has a feature called 'expandAtFiles' that replaces an '@' character followed by a file path with the file's contents. This feature is enabled by default, and in affected versions, the plugin does not disable it. The vulnerability has a CVSS v3.1 Base Score of 6.5 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (Jenkins Advisory, NVD).

The vulnerability allows attackers with Overall/Read permission to read the first two lines of arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process. The impact is particularly significant when reading sensitive files, though there are limitations when reading binary files due to character encoding constraints (Jenkins Advisory).

The vulnerability has been fixed in Git server Plugin version 99.101.v720e86326c09. As a workaround, administrators can navigate to Manage Jenkins » Security and ensure that the SSHD Port setting in the SSH Server section is set to Disable. This disables access to Git repositories hosted by Jenkins and the Jenkins CLI via SSH (Jenkins Advisory).