11 matches found
CVE-2022-36883
CVE-2022-36883 affects Jenkins Git Plugin prior to 4.11.4. A missing authorization check allows unauthenticated attackers to trigger builds for jobs using an attacker-specified Git repository and cause checkout of an attacker-specified commit. This can lead to exposure of sensitive information, m...
CVE-2020-2136
CVE-2020-2136 affects Jenkins Git Plugin up to version 4.2.0, with a stored cross-site scripting (XSS) vulnerability in the error message for the Microsoft TFS repository URL during form validation. Root cause: error message handling does not escape the URL input. Impact: potential UI-based XSS i...
CVE-2021-21684
CVE-2021-21684 affects Jenkins Git Plugin 4.8.2 and earlier. The stored XSS arises because Git SHA-1 checksum parameters are not escaped when displayed in a build cause, enabling crafted commit notifications (via /git/notifyCommit) to inject scripts. The issue is mitigated by upgrading to Jenkins...
CVE-2022-36882
The CVE-2022-36882 entry documents a CSRF flaw in Jenkins Git Plugin 4.11.3 and earlier, enabling attackers to trigger builds for jobs that use an attacker-specified Git repository and to checkout an attacker-specified commit. Connected advisories (RHSA-2023) corroborate this issue among Jenkins-...
CVE-2022-36884
CVE-2022-36884 affects Jenkins Git Plugin up to version 4.11.3, where the webhook endpoint may reveal to unauthenticated attackers whether a job is configured to use an attacker-specified Git repository. The impact is information disclosure about the existence of such jobs; there is no detail on ...
CVE-2022-38663
Affected software: Jenkins Git Plugin (versions 4.11.4 and earlier). Vulnerability: Credentials bound via Git Username and Password (gitUsernamePassword) are not properly masked in the build log, potentially exposing sensitive data. Root cause: Improper handling/masking of credentials in the plug...
CVE-2022-30947
CVE-2022-30947 affects Jenkins Git Plugin versions 4.11.1 and earlier. The vulnerability allows an attacker who can configure pipelines to cause the plugin to checkout SCM repositories stored on the Jenkins controller’s filesystem using local paths as SCM URLs. This can lead to information disclo...
CVE-2019-1003010
The CVE-2019-1003010 entry concerns Jenkins Git Plugin (versions 3.9.1 and earlier). The issue is a cross-site request forgery in src/main/java/hudson/plugins/git/GitTagAction.java that lets an attacker create a Git tag in a workspace and attach metadata to a build record. The documents do not sp...
CVE-2018-1000182
A server-side request forgery (SSRF) vulnerability exists in Jenkins Git Plugin 3.9.0 and older. In AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, and ViewGitWeb.java, attackers with Overall/Read access can cause Jenkins to send a GET request to a...
CVE-2017-1000092
CVE-2017-1000092 concerns the Jenkins Git Plugin. A maliciously crafted Jenkins URL could cause the Git client to transmit credentials to an attacker-controlled server, enabling credential leakage via a CSRF-like scenario. The entry notes that an attacker with no Jenkins access but with knowledge...
CVE-2018-1000110
The CVE-2018-1000110 entry concerns the Jenkins Git Plugin (v3.7.0 and earlier). Root cause: GitStatus.java contains improper authorization, allowing an attacker with network access to enumerate a list of nodes and users via search endpoints (e.g., /search/suggest?query=x and /search/?q=x). Impac...