CVE-2022-36883 – Jenkins Plugin Information Exposure

Description

Cytrix has detected that the Version of the Jenkins Git Plugin being used is vulnerable to Information Exposure.
This version is missing a permission check in Jenkins Git Plugin

CVE-2022-36883 is categorized as a ‘Missing Authorization’ vulnerability (CWE-862).
Issues from this category appear when the software does not perform an authorization check when a user attempts to access a resource or to perform an action.

That will allow attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.

That could assist attackers in obtaining sensitive information (Information Disclosure).
There’s a chance that this vulnerability will allow attackers to modify system files and information.

Recommendation

To fix CVE-2022-36883, upgrade the version of Jenkins Git Plugin being used to 4.11.4 or higher.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36883
https://cwe.mitre.org/data/definitions/200.html
https://cwe.mitre.org/data/definitions/862.html