CVE-2022-41238

Name of the Vulnerable Software and Affected Versions Jenkins DotCi Plugin versions 2.40.00 and earlier

Description A missing permission check in the Jenkins DotCi Plugin allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits. The DotCi Plugin provides a webhook endpoint at "/githook/" that can be used to trigger builds of the job for a GitHub repository. In affected versions, this endpoint can be accessed without authentication.

Recommendations For Jenkins DotCi Plugin versions 2.40.00 and earlier, consider disabling the /githook/ endpoint until a patch is available to prevent unauthenticated access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.