#VU65848 Missing Authorization in Git plugin


Published: 2022-07-28

Vulnerability identifier: #VU65848

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-36883

CWE-ID: CWE-862

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Git plugin
Web applications / Modules and components for CMS

Vendor: Jenkins

Description

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to application does not properly impose security restrictions. A remote attacker can trigger builds of jobs configured to use an attacker-specified Git repository and cause them to check out an attacker-specified commit.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Git plugin: 0.1 - 4.11.3

External links
http://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284
http://www.openwall.com/lists/oss-security/2022/07/27/1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in OpenShift Container Platform 4.9
Multiple vulnerabilities in OpenShift Container Platform 4.9
Multiple vulnerabilities in OpenShift Container Platform 4.10
Multiple vulnerabilities in OpenShift Container Platform 4.8
Multiple vulnerabilities in Jenkins Git plugin