CVE-2022-36882

Name of the Vulnerable Software and Affected Versions Jenkins Git Plugin versions 4.11.3 and earlier

Description A cross-site request forgery (CSRF) vulnerability exists due to insufficient authentication of requests. This allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. The Git Plugin provides a webhook endpoint at "/git/notifyCommit" that can be used to notify Jenkins of changes to an SCM repository. This endpoint can be accessed with GET requests and without authentication, resulting in the CSRF vulnerability.

Recommendations For Jenkins Git Plugin versions 4.11.3 and earlier, consider updating to version 4.11.4 or later, which requires a token parameter for authentication of the webhook endpoint. As a temporary workaround, consider restricting access to the "/git/notifyCommit" endpoint to minimize the risk of exploitation. Additionally, ensure that the token parameter is properly configured and secured to prevent unauthorized access.