Skip to content
This repository was archived by the owner on Oct 2, 2023. It is now read-only.
This repository was archived by the owner on Oct 2, 2023. It is now read-only.

CVE-2022-36882 (High) detected in git-4.2.1.jar #170

Description

@mend-bolt-for-github

CVE-2022-36882 - High Severity Vulnerability

Vulnerable Library - git-4.2.1.jar

Integrates Jenkins with Git SCM

Library home page: https://github.com/jenkinsci/git-plugin/tree/git-4.2.1/README.adoc

Path to dependency file: /pom.xml

Path to vulnerable library: /-ci/plugins/git/4.2.1/git-4.2.1.jar

Dependency Hierarchy:

  • git-4.2.1.jar (Vulnerable Library)

Found in HEAD commit: 97ed2b7fe477b78f0b26191e5950825314db7b2c

Found in base branch: master

Vulnerability Details

A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.

Publish Date: 2022-07-27

URL: CVE-2022-36882

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284

Release Date: 2022-07-27

Fix Resolution: org.jenkins-ci.plugins:git:4.11.4


Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions