Cross-site request forgery in Git plugin

#VU65847 Cross-site request forgery in Git plugin

Published: 2022-07-28

Vulnerability identifier: #VU65847

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-36882

CWE-ID: CWE-352

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Git plugin
Web applications / Modules and components for CMS

Vendor: Jenkins

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Git plugin: 0.1 - 4.11.3

CPE

cpe:2.3:a:jenkins:git_plugin:4.9.3:*:*:*:*:*:*:*

External links
http://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284
http://www.openwall.com/lists/oss-security/2022/07/27/1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in OpenShift Container Platform 4.9

Multiple vulnerabilities in OpenShift Container Platform 4.10

Multiple vulnerabilities in OpenShift Container Platform 4.8

Multiple vulnerabilities in Jenkins Git plugin