CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36884 – plugin: Lack of authentication mechanism in Git Plugin webhook
https://notcve.org/view.php?id=CVE-2022-36884
The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository. El endpoint de webhook en Jenkins Git Plugin versiones4.11.3 y anteriores, proporciona a atacantes no autenticados información sobre la existencia de trabajos configurados para usar un repositorio Git especificado por el atacante • http://www.openwall.com/lists/oss-security/2022/07/27/1 https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284 https://access.redhat.com/security/cve/CVE-2022-36884 https://bugzilla.redhat.com/show_bug.cgi?id=2119657 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2022-36883 – plugin: Lack of authentication mechanism in Git Plugin webhook
https://notcve.org/view.php?id=CVE-2022-36883
A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. Una falta de comprobación de permisos en Jenkins Git Plugin versiones 4.11.3 y anteriores, permite a atacantes no autenticados desencadenar construcciones de trabajos configurados para usar un repositorio Git especificado por el atacante y causarles una comprobación de un commit especificado por el atacante • http://www.openwall.com/lists/oss-security/2022/07/27/1 https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284 https://access.redhat.com/security/cve/CVE-2022-36883 https://bugzilla.redhat.com/show_bug.cgi?id=2119656 • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36882 – jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git
https://notcve.org/view.php?id=CVE-2022-36882
A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en Jenkins Git Plugin versiones 4.11.3 y anteriores, permite a atacantes desencadenar construcciones de trabajos configurados para usar un repositorio Git especificado por el atacante y causar que comprueben un commit especificado por el atacante A flaw was found in the Git Jenkins plugin. The affected versions of the Git Jenkins Plugin allow attackers to trigger the builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit. • http://www.openwall.com/lists/oss-security/2022/07/27/1 https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284 https://access.redhat.com/security/cve/CVE-2022-36882 https://bugzilla.redhat.com/show_bug.cgi?id=2116840 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31012 – Git for Windows' installer can be tricked into executing an untrusted binary
https://notcve.org/view.php?id=CVE-2022-31012
Git for Windows is a fork of Git that contains Windows-specific patches. This vulnerability in versions prior to 2.37.1 lets Git for Windows' installer execute a binary into `C:\mingw64\bin\git.exe` by mistake. This only happens upon a fresh install, not when upgrading Git for Windows. A patch is included in version 2.37.1. Two workarounds are available. • https://github.com/git-for-windows/git/releases/tag/v2.37.1.windows.1 https://github.com/git-for-windows/git/security/advisories/GHSA-gjrj-fxvp-hjj2 • CWE-426: Untrusted Search Path •
CVSS: 7.8EPSS: 0%CPEs: 13EXPL: 0CVE-2022-29187 – Bypass of safe.directory protections in Git
https://notcve.org/view.php?id=CVE-2022-29187
Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. • http://seclists.org/fulldisclosure/2022/Nov/1 http://www.openwall.com/lists/oss-security/2022/07/14/1 https://github.blog/2022-04-12-git-security-vulnerability-announced https://github.com/git/git/security/advisories/GHSA-j342-m5hw-rr3v https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro • CWE-282: Improper Ownership Management CWE-427: Uncontrolled Search Path Element •