CVE-2022-36884 — Missing Authentication for Critical Function in Project Jenkins GIT Plugin

CWE-306 — Missing Authentication for Critical Function CWE-200 — Sensitive Information Exposure6 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.5%

top 33.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins GIT Plugin Jenkins GIT

Timeline

PublishedJul 27

Latest updateJul 28

Description

The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_git_pluginunspecified — 4.11.3

▶NVDjenkins/git4.11.3

🔴Vulnerability Details

GHSA

Lack of authentication mechanism in Jenkins Git Plugin webhook↗2022-07-28

▶

OSV

Lack of authentication mechanism in Jenkins Git Plugin webhook↗2022-07-28

▶

CVEList

CVE-2022-36884: The webhook endpoint in Jenkins Git Plugin 4↗2022-07-27

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-07-27↗2022-07-27

▶

Red Hat

plugin: Lack of authentication mechanism in Git Plugin webhook↗2022-07-27

▶