CVE-2022-36883

Name of the Vulnerable Software and Affected Versions Jenkins Git Plugin versions 4.11.3 and earlier

Description A missing permission check in the Jenkins Git Plugin allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. The Git Plugin provides a webhook endpoint at "/git/notifyCommit" that can be used to notify Jenkins of changes to an SCM repository. This endpoint can be accessed with GET requests and without authentication, allowing attackers to trigger builds and obtain information about the existence of jobs configured with the specified Git repository. The sha1 parameter can be used to specify a commit ID, and the output of the webhook endpoint will provide information about which jobs were triggered or scheduled for polling.

Recommendations For Jenkins Git Plugin versions 4.11.3 and earlier, consider updating to version 4.11.4 or later, which requires a token parameter for authentication of the webhook endpoint. As a temporary workaround, consider restricting access to the "/git/notifyCommit" endpoint to minimize the risk of exploitation. Avoid using the sha1 parameter in the affected API endpoint until the issue is resolved. Restrict access to the Git Plugin's webhook endpoint to prevent unauthenticated attackers from triggering builds and obtaining sensitive information.