GHSA-8xwj-2wgh-gprh

Source

https://github.com/advisories/GHSA-8xwj-2wgh-gprh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-8xwj-2wgh-gprh/GHSA-8xwj-2wgh-gprh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8xwj-2wgh-gprh

Aliases

CVE-2022-36882

Published

2022-07-28T00:00:43Z

Modified

2024-02-16T08:16:36.116974Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Lack of authentication mechanism in Jenkins Git Plugin webhook

Details

Git Plugin provides a webhook endpoint at /git/notifyCommit that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In Git Plugin 4.11.3 and earlier, this endpoint can be accessed with GET requests and without authentication.

This webhook endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Git Plugin 4.11.4 requires a token parameter which will act as an authentication for the webhook endpoint. While GET requests remain allowed, attackers would need to be able to provide a webhook token. For more information see the plugin documentation.

References

Affected packages

Maven / org.jenkins-ci.plugins:git

Package

Name: org.jenkins-ci.plugins:git; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/git

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.11.4

Affected versions

1.*

1.2.0

1.3.0

1.4.0

1.5.0

1.6.0-beta-1

2.*

2.0-beta-2

2.0-beta-3

2.0

2.0.1

2.0.2

2.0.3

2.0.4

2.1.0

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.2.12

2.3-beta-1

2.3-beta-2

2.3-beta-3

2.3-beta-4

2.3

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.5.0-beta1

2.5.0-beta2

2.5.0-beta3

2.5.0-beta4

2.5.0-beta5

2.5.0

2.5.1

2.5.2

2.5.3

2.6.0

2.6.1

2.6.2-beta-1

2.6.2-beta-2

2.6.2

2.6.4

2.6.5

3.*

3.0.0-beta1

3.0.0-beta2

3.0.0

3.0.1

3.0.2-beta-1

3.0.2-beta-2

3.0.2

3.0.3

3.0.4

3.0.5

3.1.0

3.2.0

3.3.0

3.3.1

3.3.2

3.4.0-alpha-1

3.4.0-alpha-4

3.4.0-beta-1

3.4.0-beta-2

3.4.0

3.4.1

3.5.0

3.5.1

3.6.0

3.6.1

3.6.2

3.6.3

3.6.4

3.7.0

3.8.0

3.9.0

3.9.1

3.9.2

3.9.3

3.9.4

3.10.0-beta-1

3.10.0

3.10.0.1

3.10.1

3.11.0

3.12.0

3.12.1

3.12.2

4.*

4.0.0-beta1

4.0.0-beta2

4.0.0-beta3

4.0.0-beta4

4.0.0-beta7

4.0.0-beta8

4.0.0-beta9

4.0.0-beta10

4.0.0-beta11

4.0.0-beta12

4.0.0-rc

4.0.0

4.0.1

4.1.0-beta

4.1.0

4.1.1

4.2.0

4.2.1

4.2.2

4.3.0

4.3.1

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.5.0

4.5.1

4.5.2

4.6.0

4.7.0

4.7.1

4.7.1.1

4.7.2

4.8.0

4.8.1

4.8.2

4.8.3

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

4.10.0

4.10.1

4.10.2

4.10.3

4.11.0

4.11.1

4.11.2

4.11.3

Database specific

{
    "last_known_affected_version_range": "<= 4.11.3"
}