CVE-2022-36884

Name of the Vulnerable Software and Affected Versions Jenkins Git Plugin versions 4.11.3 and earlier

Description The webhook endpoint in Jenkins Git Plugin provides unauthenticated attackers with information about the existence of jobs configured to use an attacker-specified Git repository. This endpoint, located at "/git/notifyCommit", can be accessed with GET requests and without authentication, allowing attackers to trigger builds of jobs using a specified Git repository and to cause them to check out an attacker-specified commit. The sha1 parameter can be used to specify a commit ID. The output of the webhook endpoint will provide information about which jobs were triggered or scheduled for polling, including jobs the user has no permission to access. This also results in a cross-site request forgery (CSRF) vulnerability.

Recommendations For Jenkins Git Plugin versions 4.11.3 and earlier, update to version 4.11.4 or later, which requires a token parameter for authentication of the webhook endpoint. As a temporary workaround, consider restricting access to the /git/notifyCommit endpoint to minimize the risk of exploitation. Avoid using the sha1 parameter in the affected API endpoint until the issue is resolved.