Jenkins Git
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Jenkins Git.
By the Year
In 2026 there have been 0 vulnerabilities in Jenkins Git. Git did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 7 | 6.91 |
| 2021 | 1 | 6.10 |
| 2020 | 1 | 5.40 |
| 2019 | 1 | 4.30 |
| 2018 | 2 | 5.85 |
It may take a day or so for new Git vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Jenkins Git Security Vulnerabilities
CVE-2022-38663: Jenkins Git Plugin <4.11.4 Improper Credential Masking
CVE-2022-38663
6.5 - Medium
- August 23, 2022
Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding.
Insufficiently Protected Credentials
Jenkins Git Plugin <4.11.3: Unauthenticated Webhook Info Disclosure
CVE-2022-36884
5.3 - Medium
- July 27, 2022
The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.
Missing Authentication for Critical Function
Jenkins Git Plugin <=4.11.3 Unauth Build Trigger & Repo Checkout
CVE-2022-36883
7.5 - High
- July 27, 2022
A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.
AuthZ
Jenkins Git Plugin <4.11.3 CSRF: Unauthorized Build Execution
CVE-2022-36882
8.8 - High
- July 27, 2022
A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.
Session Riding
Jenkins REPO Plugin 1.14.0 and earlier
CVE-2022-30949
5.3 - Medium
- May 17, 2022
Jenkins REPO Plugin 1.14.0 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.
Jenkins Mercurial Plugin 2.16 and earlier
CVE-2022-30948
7.5 - High
- May 17, 2022
Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.
Jenkins Git Plugin 4.11.1 and earlier
CVE-2022-30947
7.5 - High
- May 17, 2022
Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.
Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause
CVE-2021-21684
6.1 - Medium
- October 06, 2021
Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.
Output Sanitization
Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation
CVE-2020-2136
5.4 - Medium
- March 09, 2020
Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability.
XSS
A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java
CVE-2019-1003010
4.3 - Medium
- February 06, 2019
A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.
Session Riding
A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java
CVE-2018-1000182
6.4 - Medium
- June 05, 2018
A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.
SSRF
An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java
CVE-2018-1000110
5.3 - Medium
- March 13, 2018
An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of nodes and users.
AuthZ
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Jenkins Git or by Jenkins? Click the Watch button to subscribe.
