VulnerableCode Package Details - pkg:maven/org.jenkins-ci.plugins/git@4.11.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-f9ts-ya3x-t3bu Aliases: CVE-2022-38663 GHSA-jxmw-3gxf-fprh	Improper masking of credentials Jenkins in Git Plugin Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding.	4.11.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-f9ts-ya3x-t3bu
Aliases:
CVE-2022-38663
GHSA-jxmw-3gxf-fprh

Improper masking of credentials Jenkins in Git Plugin Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding.

4.11.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-ca7m-fb38-kfe2	Lack of authentication mechanism in Jenkins Git Plugin webhook Git Plugin provides a webhook endpoint at `/git/notifyCommit` that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In Git Plugin 4.11.3 and earlier, this endpoint can be accessed with GET requests and without authentication. In addition to this basic functionality, the endpoint also accept a `sha1` parameter specifying a commit ID. If this parameter is specified, jobs configured with the specified repo will be triggered immediately, and the build will check out the specified commit. Additionally, the output of the webhook endpoint will provide information about which jobs were triggered or scheduled for polling, including jobs the user has no permission to access. This allows attackers with knowledge of Git repository URLs to trigger builds of jobs using a specified Git repository and to cause them to check out an attacker-specified commit, and to obtain information about the existence of jobs configured with this Git repository. Git Plugin 4.11.4 requires a `token` parameter which will act as an authentication for the webhook endpoint. While GET requests remain allowed, attackers would need to be able to provide a webhook token. For more information see [the plugin documentation](https://github.com/jenkinsci/git-plugin/#push-notification-from-repository).	CVE-2022-36883 GHSA-v878-67xw-grw2
VCID-gxu6-51zm-sfh7	Lack of authentication mechanism in Jenkins Git Plugin webhook Git Plugin provides a webhook endpoint at `/git/notifyCommit` that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In Git Plugin 4.11.3 and earlier, this endpoint can be accessed with GET requests and without authentication. This webhook endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Git Plugin 4.11.4 requires a `token` parameter which will act as an authentication for the webhook endpoint. While GET requests remain allowed, attackers would need to be able to provide a webhook token. For more information see [the plugin documentation](https://github.com/jenkinsci/git-plugin/#push-notification-from-repository).	CVE-2022-36882 GHSA-8xwj-2wgh-gprh
VCID-ubq1-gzr6-x3fu	Lack of authentication mechanism in Jenkins Git Plugin webhook Git Plugin provides a webhook endpoint at `/git/notifyCommit` that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In Git Plugin 4.11.3 and earlier, this endpoint can be accessed with GET requests and without authentication. In addition to this basic functionality, the endpoint also accept a `sha1` parameter specifying a commit ID. If this parameter is specified, jobs configured with the specified repo will be triggered immediately, and the build will check out the specified commit. Additionally, the output of the webhook endpoint will provide information about which jobs were triggered or scheduled for polling, including jobs the user has no permission to access. This allows attackers with knowledge of Git repository URLs to trigger builds of jobs using a specified Git repository and to cause them to check out an attacker-specified commit, and to obtain information about the existence of jobs configured with this Git repository. Additionally, this webhook endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Git Plugin 4.11.4 requires a `token` parameter which will act as an authentication for the webhook endpoint. While GET requests remain allowed, attackers would need to be able to provide a webhook token. For more information see [the plugin documentation](https://github.com/jenkinsci/git-plugin/#push-notification-from-repository).	CVE-2022-36884 GHSA-449w-c77c-vmf6

Vulnerability

Summary

Aliases

VCID-ca7m-fb38-kfe2

Lack of authentication mechanism in Jenkins Git Plugin webhook Git Plugin provides a webhook endpoint at `/git/notifyCommit` that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In Git Plugin 4.11.3 and earlier, this endpoint can be accessed with GET requests and without authentication. In addition to this basic functionality, the endpoint also accept a `sha1` parameter specifying a commit ID. If this parameter is specified, jobs configured with the specified repo will be triggered immediately, and the build will check out the specified commit. Additionally, the output of the webhook endpoint will provide information about which jobs were triggered or scheduled for polling, including jobs the user has no permission to access. This allows attackers with knowledge of Git repository URLs to trigger builds of jobs using a specified Git repository and to cause them to check out an attacker-specified commit, and to obtain information about the existence of jobs configured with this Git repository. Git Plugin 4.11.4 requires a `token` parameter which will act as an authentication for the webhook endpoint. While GET requests remain allowed, attackers would need to be able to provide a webhook token. For more information see [the plugin documentation](https://github.com/jenkinsci/git-plugin/#push-notification-from-repository).

CVE-2022-36883
GHSA-v878-67xw-grw2

VCID-gxu6-51zm-sfh7

CVE-2022-36882
GHSA-8xwj-2wgh-gprh

VCID-ubq1-gzr6-x3fu

Lack of authentication mechanism in Jenkins Git Plugin webhook Git Plugin provides a webhook endpoint at `/git/notifyCommit` that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In Git Plugin 4.11.3 and earlier, this endpoint can be accessed with GET requests and without authentication. In addition to this basic functionality, the endpoint also accept a `sha1` parameter specifying a commit ID. If this parameter is specified, jobs configured with the specified repo will be triggered immediately, and the build will check out the specified commit. Additionally, the output of the webhook endpoint will provide information about which jobs were triggered or scheduled for polling, including jobs the user has no permission to access. This allows attackers with knowledge of Git repository URLs to trigger builds of jobs using a specified Git repository and to cause them to check out an attacker-specified commit, and to obtain information about the existence of jobs configured with this Git repository. Additionally, this webhook endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Git Plugin 4.11.4 requires a `token` parameter which will act as an authentication for the webhook endpoint. While GET requests remain allowed, attackers would need to be able to provide a webhook token. For more information see [the plugin documentation](https://github.com/jenkinsci/git-plugin/#push-notification-from-repository).

CVE-2022-36884
GHSA-449w-c77c-vmf6

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-03T21:27:30.358657+00:00	GitLab Importer	Affected by	VCID-f9ts-ya3x-t3bu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins/git/CVE-2022-38663.yml	38.1.0
2026-04-01T16:02:53.818448+00:00	GHSA Importer	Fixing	VCID-ubq1-gzr6-x3fu	https://github.com/advisories/GHSA-449w-c77c-vmf6	38.0.0
2026-04-01T16:02:53.754804+00:00	GHSA Importer	Fixing	VCID-gxu6-51zm-sfh7	https://github.com/advisories/GHSA-8xwj-2wgh-gprh	38.0.0
2026-04-01T16:02:53.694347+00:00	GHSA Importer	Fixing	VCID-ca7m-fb38-kfe2	https://github.com/advisories/GHSA-v878-67xw-grw2	38.0.0
2026-04-01T13:07:24.065827+00:00	GithubOSV Importer	Fixing	VCID-ca7m-fb38-kfe2	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-v878-67xw-grw2/GHSA-v878-67xw-grw2.json	38.0.0
2026-04-01T13:07:21.305959+00:00	GithubOSV Importer	Fixing	VCID-gxu6-51zm-sfh7	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-8xwj-2wgh-gprh/GHSA-8xwj-2wgh-gprh.json	38.0.0
2026-04-01T13:07:19.675253+00:00	GithubOSV Importer	Fixing	VCID-ubq1-gzr6-x3fu	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-449w-c77c-vmf6/GHSA-449w-c77c-vmf6.json	38.0.0