Jenkins Git
By the Year
In 2023 there have been 0 vulnerabilities in Jenkins Git . Last year Git had 7 security vulnerabilities published. Right now, Git is on track to have less security vulnerabilities in 2023 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2023 | 0 | 0.00 |
| 2022 | 7 | 6.91 |
| 2021 | 1 | 6.10 |
| 2020 | 1 | 5.40 |
| 2019 | 1 | 4.30 |
| 2018 | 2 | 5.85 |
It may take a day or so for new Git vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Jenkins Git Security Vulnerabilities
Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e
CVE-2022-38663
6.5 - Medium
- August 23, 2022
Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding.
Insufficiently Protected Credentials
The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.
CVE-2022-36884
5.3 - Medium
- July 27, 2022
The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.
Information Disclosure
A missing permission check in Jenkins Git Plugin 4.11.3 and earlier
CVE-2022-36883
7.5 - High
- July 27, 2022
A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.
AuthZ
A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier
CVE-2022-36882
8.8 - High
- July 27, 2022
A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.
Session Riding
Jenkins REPO Plugin 1.14.0 and earlier
CVE-2022-30949
5.3 - Medium
- May 17, 2022
Jenkins REPO Plugin 1.14.0 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.
Jenkins Mercurial Plugin 2.16 and earlier
CVE-2022-30948
7.5 - High
- May 17, 2022
Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.
Jenkins Git Plugin 4.11.1 and earlier
CVE-2022-30947
7.5 - High
- May 17, 2022
Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.
Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause
CVE-2021-21684
6.1 - Medium
- October 06, 2021
Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.
Output Sanitization
Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation
CVE-2020-2136
5.4 - Medium
- March 09, 2020
Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability.
XSS
A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java
CVE-2019-1003010
4.3 - Medium
- February 06, 2019
A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record.
Session Riding
A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java
CVE-2018-1000182
6.4 - Medium
- June 05, 2018
A server-side request forgery vulnerability exists in Jenkins Git Plugin 3.9.0 and older in AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, ViewGitWeb.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.
XSPA
An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java
CVE-2018-1000110
5.3 - Medium
- March 13, 2018
An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of nodes and users.
AuthZ
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Jenkins Git or by Jenkins? Click the Watch button to subscribe.
