CVE-2022-36882 – This CSRF vulnerability in Jenkins Git Plugin a... (How to Fix)

Q: What is the severity of CVE-2022-36882?

CVE-2022-36882 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in Jenkins Git Plugin allows attackers to trigger unauthorized builds of jobs configured with Git repositories. Attackers can force Jenkins to check out arbitrary commits from attacker-controlled repositories, potentially leading to code execution or supply chain attacks. Affects Jenkins instances with Git Plugin 4.11.3 or earlier installed.

📋 TL;DR

This CSRF vulnerability in Jenkins Git Plugin allows attackers to trigger unauthorized builds of jobs configured with Git repositories. Attackers can force Jenkins to check out arbitrary commits from attacker-controlled repositories, potentially leading to code execution or supply chain attacks. Affects Jenkins instances with Git Plugin 4.11.3 or earlier installed.

💻 Affected Systems

Products:

Jenkins Git Plugin

Versions: 4.11.3 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Jenkins with Git Plugin installed and jobs configured to use Git repositories.

📦 What is this software?

Git by Jenkins

View all CVEs affecting Git →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers execute arbitrary code on Jenkins servers by triggering builds with malicious commits, potentially compromising the entire CI/CD pipeline and downstream systems.

🟠

Likely Case

Attackers inject malicious code into builds, leading to supply chain attacks, data exfiltration, or disruption of development workflows.

🟢

If Mitigated

With proper CSRF protections and access controls, impact is limited to unauthorized build triggers without code execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking authenticated users into visiting malicious pages. CSRF tokens are not properly validated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Git Plugin 4.11.4

Vendor Advisory: https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284

Restart Required: Yes

Instructions:

1. Update Jenkins Git Plugin to version 4.11.4 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply changes. 3. Verify plugin version in Manage Jenkins > Plugin Manager.

🔧 Temporary Workarounds

Enable CSRF Protection

all

Ensure Jenkins CSRF protection is enabled globally

Check: Manage Jenkins > Configure Global Security > Enable CSRF Protection

Restrict Build Permissions

all

Limit who can trigger builds on vulnerable jobs

Configure job permissions: Job Configuration > Build Triggers > Restrict where this project can be run

🧯 If You Can't Patch

Implement network segmentation to isolate Jenkins from production systems
Enable audit logging for all build triggers and monitor for unauthorized activity

🔍 How to Verify

Check if Vulnerable:

Check Git Plugin version in Jenkins: Manage Jenkins > Plugin Manager > Installed plugins, look for Git Plugin version 4.11.3 or earlier.

Check Version:

java -jar jenkins-cli.jar -s http://jenkins-url/ list-plugins | grep git

Verify Fix Applied:

Verify Git Plugin version is 4.11.4 or later in Plugin Manager. Test CSRF protection by attempting to trigger builds without valid tokens.

📡 Detection & Monitoring

Log Indicators:

Unauthorized build triggers from unexpected IPs
Git repository URLs changed unexpectedly in build logs
Failed CSRF token validation attempts

Network Indicators:

HTTP POST requests to /job/*/build without CSRF tokens
Unusual Git clone operations from external repositories

SIEM Query:

source="jenkins.log" AND ("CSRF token" AND "invalid") OR ("build triggered" AND NOT user=*)

📊 Metadata

CVE ID: CVE-2022-36882

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: July 27, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/07/27/1 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284 Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/07/27/1 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-36882, you might also want to check these: