medium
5.3
CWE
200 306 352
Advisory Published
CVE Published
Advisory Published
Updated

CVE-2022-36884: Infoleak

First published: Wed Jul 27 2022(Updated: )

Git Plugin provides a webhook endpoint at `/git/notifyCommit` that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In Git Plugin 4.11.3 and earlier, this endpoint can be accessed with GET requests and without authentication. In addition to this basic functionality, the endpoint also accept a `sha1` parameter specifying a commit ID. If this parameter is specified, jobs configured with the specified repo will be triggered immediately, and the build will check out the specified commit. Additionally, the output of the webhook endpoint will provide information about which jobs were triggered or scheduled for polling, including jobs the user has no permission to access. This allows attackers with knowledge of Git repository URLs to trigger builds of jobs using a specified Git repository and to cause them to check out an attacker-specified commit, and to obtain information about the existence of jobs configured with this Git repository. Additionally, this webhook endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Git Plugin 4.11.4 requires a `token` parameter which will act as an authentication for the webhook endpoint. While GET requests remain allowed, attackers would need to be able to provide a webhook token. For more information see [the plugin documentation](https://github.com/jenkinsci/git-plugin/#push-notification-from-repository).

Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com

Affected SoftwareAffected VersionHow to fix
redhat/jenkins<2-plugins-0:4.10.1675144701-1.el8
2-plugins-0:4.10.1675144701-1.el8
redhat/jenkins<2-plugins-0:4.8.1672842762-1.el8
2-plugins-0:4.8.1672842762-1.el8
redhat/jenkins<2-plugins-0:4.9.1675668922-1.el8
2-plugins-0:4.9.1675668922-1.el8
Jenkins Git<=4.11.3
<=4.11.3
maven/org.jenkins-ci.plugins:git<=4.11.3
4.11.4

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the vulnerability ID for this Jenkins Git Plugin vulnerability?

    The vulnerability ID is CVE-2022-36884.

  • What is the severity of CVE-2022-36884?

    The severity of CVE-2022-36884 is medium.

  • How does the Jenkins Git Plugin vulnerability CVE-2022-36884 work?

    The vulnerability allows unauthenticated attackers to access sensitive information by exploiting the webhook endpoint at /git/notifyCommit.

  • What is the affected software for CVE-2022-36884?

    The affected software includes Jenkins Git Plugin versions up to and including 4.11.3, and certain versions of the git package in Red Hat and Jenkins.

  • How can I fix the Jenkins Git Plugin vulnerability CVE-2022-36884?

    To fix the vulnerability, update Jenkins Git Plugin to version 4.11.4 or later, or follow the recommended upgrade or patch instructions provided by the software vendor.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203