CVE-2022-36881

CWE-295 — Improper Certificate Validation CWE-3226 documents6 sources

Severity

8.1HIGH

EPSS

0.7%

top 27.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins GIT Client Plugin Jenkins GIT Client

Timeline

PublishedJul 27

Latest updateAug 3

Description

Jenkins Git client Plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:git-client< 3.11.1

▶CVEListV5jenkins_project/jenkins_git_client_pluginunspecified — 3.11.0

▶NVDjenkins/git_client3.11.0

🔴Vulnerability Details

OSV

Jenkins Git client plugin 3.11.0 does not perform SSH host key verification↗2022-07-28

▶

GHSA

Jenkins Git client plugin 3.11.0 does not perform SSH host key verification↗2022-07-28

▶

CVEList

CVE-2022-36881: Jenkins Git client Plugin 3↗2022-07-27

▶

📋Vendor Advisories

Red Hat

jenkins-plugin: Man-in-the-Middle (MitM) in org.jenkins-ci.plugins:git-client↗2022-08-03

▶

Jenkins

Jenkins Security Advisory 2022-07-27↗2022-07-27

▶