CVE-2022-38663
https://notcve.org/view.php?id=CVE-2022-38663
Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding. Jenkins Git Plugin versiones 4.11.4 y anteriores, no enmascara apropiadamente (es decir, reemplaza con asteriscos) las credenciales en el registro de construcción proporcionado por el enlace de credenciales Git Username and Password ("gitUsernamePassword"). • http://www.openwall.com/lists/oss-security/2022/08/23/2 https://www.jenkins.io/security/advisory/2022-08-23/#SECURITY-2796 • CWE-522: Insufficiently Protected Credentials •
CVE-2022-36884 – plugin: Lack of authentication mechanism in Git Plugin webhook
https://notcve.org/view.php?id=CVE-2022-36884
The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository. El endpoint de webhook en Jenkins Git Plugin versiones4.11.3 y anteriores, proporciona a atacantes no autenticados información sobre la existencia de trabajos configurados para usar un repositorio Git especificado por el atacante • http://www.openwall.com/lists/oss-security/2022/07/27/1 https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284 https://access.redhat.com/security/cve/CVE-2022-36884 https://bugzilla.redhat.com/show_bug.cgi?id=2119657 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-306: Missing Authentication for Critical Function •
CVE-2022-36883 – plugin: Lack of authentication mechanism in Git Plugin webhook
https://notcve.org/view.php?id=CVE-2022-36883
A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. Una falta de comprobación de permisos en Jenkins Git Plugin versiones 4.11.3 y anteriores, permite a atacantes no autenticados desencadenar construcciones de trabajos configurados para usar un repositorio Git especificado por el atacante y causarles una comprobación de un commit especificado por el atacante • http://www.openwall.com/lists/oss-security/2022/07/27/1 https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284 https://access.redhat.com/security/cve/CVE-2022-36883 https://bugzilla.redhat.com/show_bug.cgi?id=2119656 • CWE-862: Missing Authorization •
CVE-2022-36882 – jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git
https://notcve.org/view.php?id=CVE-2022-36882
A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en Jenkins Git Plugin versiones 4.11.3 y anteriores, permite a atacantes desencadenar construcciones de trabajos configurados para usar un repositorio Git especificado por el atacante y causar que comprueben un commit especificado por el atacante A flaw was found in the Git Jenkins plugin. The affected versions of the Git Jenkins Plugin allow attackers to trigger the builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. • http://www.openwall.com/lists/oss-security/2022/07/27/1 https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284 https://access.redhat.com/security/cve/CVE-2022-36882 https://bugzilla.redhat.com/show_bug.cgi?id=2116840 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-31012 – Git for Windows' installer can be tricked into executing an untrusted binary
https://notcve.org/view.php?id=CVE-2022-31012
Git for Windows is a fork of Git that contains Windows-specific patches. This vulnerability in versions prior to 2.37.1 lets Git for Windows' installer execute a binary into `C:\mingw64\bin\git.exe` by mistake. This only happens upon a fresh install, not when upgrading Git for Windows. A patch is included in version 2.37.1. Two workarounds are available. • https://github.com/git-for-windows/git/releases/tag/v2.37.1.windows.1 https://github.com/git-for-windows/git/security/advisories/GHSA-gjrj-fxvp-hjj2 • CWE-426: Untrusted Search Path •