github
diff --git a/‎advisories/github-reviewed/2025/09/GHSA-f696-867g-2759/GHSA-f696-867g-2759.json
Lines changed: 69 additions & 0 deletions b/‎advisories/github-reviewed/2025/09/GHSA-f696-867g-2759/GHSA-f696-867g-2759.json
Lines changed: 69 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2025/09/GHSA-g2pq-9jr7-w6gv/GHSA-g2pq-9jr7-w6gv.json
Lines changed: 66 additions & 0 deletions b/‎advisories/github-reviewed/2025/09/GHSA-g2pq-9jr7-w6gv/GHSA-g2pq-9jr7-w6gv.json
Lines changed: 66 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2025/09/GHSA-gm8g-fh49-qq6v/GHSA-gm8g-fh49-qq6v.json
Lines changed: 65 additions & 0 deletions b/‎advisories/github-reviewed/2025/09/GHSA-gm8g-fh49-qq6v/GHSA-gm8g-fh49-qq6v.json
Lines changed: 65 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2025/09/GHSA-f696-867g-2759/GHSA-f696-867g-2759.json
Lines changed: 0 additions & 29 deletions b/‎advisories/unreviewed/2025/09/GHSA-f696-867g-2759/GHSA-f696-867g-2759.json
Lines changed: 0 additions & 29 deletions
diff --git a/‎advisories/unreviewed/2025/09/GHSA-g2pq-9jr7-w6gv/GHSA-g2pq-9jr7-w6gv.json
Lines changed: 0 additions & 29 deletions b/‎advisories/unreviewed/2025/09/GHSA-g2pq-9jr7-w6gv/GHSA-g2pq-9jr7-w6gv.json
Lines changed: 0 additions & 29 deletions
diff --git a/‎advisories/unreviewed/2025/09/GHSA-gm8g-fh49-qq6v/GHSA-gm8g-fh49-qq6v.json
Lines changed: 0 additions & 29 deletions b/‎advisories/unreviewed/2025/09/GHSA-gm8g-fh49-qq6v/GHSA-gm8g-fh49-qq6v.json
Lines changed: 0 additions & 29 deletions
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f696-867g-2759",
+  "modified": "2025-09-03T22:23:42Z",
+  "published": "2025-09-03T15:30:34Z",
+  "aliases": [
+    "CVE-2025-58460"
+  ],
+  "summary": "Jenkins OpenTelemetry Plugin missing permission check allows capturing credentials",
+  "details": "A missing permission check in Jenkins OpenTelemetry Plugin 3.1543.v8446b_92b_cd64 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "io.jenkins.plugins:opentelemetry"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.1543.1545.vf5a"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58460"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/jenkinsci/opentelemetry-plugin/commit/f5a4ec123769096ad9a4930ede56588b0fee40f3"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/jenkinsci/opentelemetry-plugin"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/jenkinsci/opentelemetry-plugin/releases/tag/3.1543.1545.vf5a_4ec123769"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.jenkins.io/security/advisory/2025-09-03/#SECURITY-3602"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-09-03T22:23:42Z",
+    "nvd_published_at": "2025-09-03T15:15:39Z"
+  }
+}
@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g2pq-9jr7-w6gv",
+  "modified": "2025-09-03T22:22:25Z",
+  "published": "2025-09-03T15:30:34Z",
+  "aliases": [
+    "CVE-2025-58458"
+  ],
+  "summary": "Jenkins Git client Plugin file system information disclosure vulnerability",
+  "details": "In Jenkins Git client Plugin 6.3.2 and earlier, Git URL field form validation responses differ based on whether the specified file path exists on the controller when specifying `amazon-s3` protocol for use with JGit, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.jenkins-ci.plugins:git-client"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.3.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58458"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/jenkinsci/git-client-plugin/commit/20090a86c3ebc72e5283c882de73e3a4459137bb"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/jenkinsci/git-client-plugin"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.jenkins.io/security/advisory/2025-09-03/#SECURITY-3590"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200",
+      "CWE-538"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-09-03T22:22:25Z",
+    "nvd_published_at": "2025-09-03T15:15:39Z"
+  }
+}
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gm8g-fh49-qq6v",
+  "modified": "2025-09-03T22:22:41Z",
+  "published": "2025-09-03T15:30:34Z",
+  "aliases": [
+    "CVE-2025-58459"
+  ],
+  "summary": "Jenkins global-build-stats Plugin missing permission check can result in graph IDs being enumerated",
+  "details": "Jenkins global-build-stats Plugin 322.v22f4db_18e2dd and earlier does not perform permission checks in its REST API endpoints, allowing attackers with Overall/Read permission to enumerate graph IDs. \n\nThis has been patched in version 347.v32a_eb_0493c4f.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.jenkins-ci.plugins:global-build-stats"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "347.v32a"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58459"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/jenkinsci/global-build-stats-plugin/commit/32aeb0493c4ff5423448576f477ac612f7a25138"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/jenkinsci/global-build-stats-plugin"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.jenkins.io/security/advisory/2025-09-03/#SECURITY-3535"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-09-03T22:22:41Z",
+    "nvd_published_at": "2025-09-03T15:15:39Z"
+  }
+}