CVE-2022-36883: 
Java vulnerability analysis and mitigation

CVE-2022-36883 is a security vulnerability discovered in Jenkins Git Plugin versions 4.11.3 and earlier, disclosed on July 27, 2022. The vulnerability stems from a missing permission check in the plugin's webhook endpoint that allows unauthenticated attackers to trigger builds of jobs configured to use specific Git repositories (Jenkins Advisory).

The vulnerability exists in the Git Plugin's webhook endpoint at /git/notifyCommit. The endpoint accepts a sha1 parameter specifying a commit ID, and when this parameter is specified, jobs configured with the specified repository will be triggered immediately and check out the specified commit. The vulnerability occurs because this endpoint can be accessed with GET requests and without proper authentication in affected versions (Jenkins Advisory).

This vulnerability allows attackers with knowledge of Git repository URLs to trigger builds of jobs using a specified Git repository and cause them to check out an attacker-specified commit. Additionally, the webhook endpoint output provides information about which jobs were triggered or scheduled for polling, including jobs the user has no permission to access, leading to potential information disclosure (Jenkins Advisory).

The vulnerability has been fixed in Git Plugin version 4.11.4. The fix requires a token parameter that authorizes requests to the webhook endpoint. While GET requests remain allowed, attackers would need to provide a valid webhook token to trigger builds. Users are advised to upgrade to this version or later (Jenkins Advisory).