Jenkins Git Plugin missing permission check (CVE-2022-36883)
Description
Jenkins is an open-source automation server used for continuous integration and continuous delivery (CI/CD) workflows.
The Jenkins Git Plugin version 4.11.3 and earlier contains a missing permission check vulnerability (CWE-862) that allows unauthenticated remote attackers to exploit the notification endpoint. Attackers can trigger builds of jobs by specifying arbitrary Git repositories and commits without requiring any authentication, effectively bypassing access controls that should protect build operations.
Remediation
Immediately upgrade the Jenkins Git Plugin to version 4.11.4 or later, which implements proper permission checks for the notification endpoint.
To upgrade:
1. Navigate to 'Manage Jenkins' > 'Manage Plugins' in your Jenkins instance
2. Select the 'Available' or 'Updates' tab
3. Locate 'Git Plugin' and check the box next to it
4. Click 'Download now and install after restart' or 'Install without restart'
5. Verify the plugin version is 4.11.4 or higher after installation
As an additional security measure, review Jenkins security settings to ensure that anonymous users have minimal permissions and that job configurations are restricted to authorized users only. Monitor build logs for any suspicious activity that may have occurred prior to patching.