CVE-2022-36882 – org.jenkins-ci.plugins:git

Package

Manager: maven
Name: org.jenkins-ci.plugins:git
Vulnerable Version: >=0 <4.11.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00398 pctl0.59806

Details

Lack of authentication mechanism in Jenkins Git Plugin webhook Git Plugin provides a webhook endpoint at `/git/notifyCommit` that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In Git Plugin 4.11.3 and earlier, this endpoint can be accessed with GET requests and without authentication. This webhook endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Git Plugin 4.11.4 requires a `token` parameter which will act as an authentication for the webhook endpoint. While GET requests remain allowed, attackers would need to be able to provide a webhook token. For more information see [the plugin documentation](https://github.com/jenkinsci/git-plugin/#push-notification-from-repository).

Metadata

Created: 2022-07-28T00:00:43Z
Modified: 2022-12-12T20:53:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-8xwj-2wgh-gprh/GHSA-8xwj-2wgh-gprh.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-8xwj-2wgh-gprh
Finding: F007
Auto approve: 1