CVE-2022-36881 – org.jenkins-ci.plugins:git-client

Package

Manager: maven
Name: org.jenkins-ci.plugins:git-client
Vulnerable Version: >=0 <3.11.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00645 pctl0.69768

Details

Jenkins Git client plugin 3.11.0 does not perform SSH host key verification Jenkins Git client plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks. Git client Plugin 3.11.1 provides strategies for performing host key verification for administrators to select the one that meets their security needs. For more information see [the plugin documentation](https://github.com/jenkinsci/git-client-plugin#ssh-host-key-verification).

Metadata

Created: 2022-07-28T00:00:43Z
Modified: 2022-12-12T20:36:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-cm7j-p8hc-97vj/GHSA-cm7j-p8hc-97vj.json
CWE IDs: ["CWE-295", "CWE-322"]
Alternative ID: GHSA-cm7j-p8hc-97vj
Finding: F163
Auto approve: 1