CVE-2022-36884: 
Java vulnerability analysis and mitigation

CVE-2022-36884 is an information disclosure vulnerability in Jenkins Git Plugin 4.11.3 and earlier, discovered and disclosed on July 27, 2022. The vulnerability affects the webhook endpoint in Jenkins Git Plugin, which provides unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository (Jenkins Advisory, CVE Mitre).

The vulnerability exists in the webhook endpoint at /git/notifyCommit that can be used to notify Jenkins of changes to an SCM repository. The endpoint accepts GET requests without authentication and includes a sha1 parameter specifying a commit ID. When this parameter is specified, the webhook endpoint provides information about which jobs were triggered or scheduled for polling, including jobs the user has no permission to access. The vulnerability has been assigned a Medium severity CVSS rating (Jenkins Advisory).

This vulnerability allows attackers with knowledge of Git repository URLs to obtain information about the existence of jobs configured with a specific Git repository, even for jobs they don't have permission to access. This information disclosure could potentially be used for reconnaissance or as part of a larger attack chain (Jenkins Advisory).

The vulnerability was fixed in Git Plugin version 4.11.4, which requires a token parameter that authorizes requests to the webhook endpoint. While GET requests remain allowed, attackers would need to be able to provide a webhook token to access the information. Users are advised to upgrade to this version or later (Jenkins Advisory).