How severe is GHSA-v878-67xw-grw2?

GHSA-v878-67xw-grw2 has a CVSS score of 6.5/10, rated MEDIUM. Review your exposure and patch according to your risk tolerance.

Which packages are affected by GHSA-v878-67xw-grw2?

GHSA-v878-67xw-grw2 affects the following packages: org.jenkins-ci.plugins:git (Maven). Ecosystems affected: Maven.

How do I fix GHSA-v878-67xw-grw2?

Update org.jenkins-ci.plugins:git to 4.11.4 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-v878-67xw-grw2 is resolved across your whole dependency graph.

How do I detect GHSA-v878-67xw-grw2 in my Maven dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for org.jenkins-ci.plugins:git. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-v878-67xw-grw2 if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-v878-67xw-grw2?

O3 pinpoints whether GHSA-v878-67xw-grw2 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-v878-67xw-grw2 actively exploited in the wild?

No public exploit code has been indexed for GHSA-v878-67xw-grw2 yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-v878-67xw-grw2?

GHSA-v878-67xw-grw2 has an EPSS (Exploit Prediction Scoring System) score of 5.5%, placing it in the 92th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

Is there exploit tooling available for GHSA-v878-67xw-grw2?

A Nuclei detection template exists for GHSA-v878-67xw-grw2, meaning automated scanners can fingerprint it. Public exploit tooling significantly increases real-world risk — prioritize patching and ensure detection coverage. Exploit tooling should only ever be used in isolated, authorized testing environments.

When was GHSA-v878-67xw-grw2 published, and has it been updated?

GHSA-v878-67xw-grw2 was published on July 28, 2022 and was last updated on February 16, 2024. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

☕ Maven

GHSA-v878-67xw-grw2

MEDIUM

Lack of authentication mechanism in Jenkins Git Plugin webhook

Also known asCVE-2022-36883

Published

Jul 28, 2022

Updated

Feb 16, 2024

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

5.5%probability of exploitation in next 30 days

Lower Risk92th percentile-75.81%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

☕org.jenkins-ci.plugins:git

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.

Description

Git Plugin provides a webhook endpoint at /git/notifyCommit that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In Git Plugin 4.11.3 and earlier, this endpoint can be accessed with GET requests and without authentication. In addition to this basic functionality, the endpoint also accept a sha1 parameter specifying a commit ID. If this parameter is specified, jobs configured with the specified repo will be triggered immediately, and the build will check out the specified commit. Additionally, the output of the webhook endpoint will provide information about which jobs were triggered or scheduled for polling, including jobs the user has no permission to access. This allows attackers with knowledge of Git repository URLs to trigger builds of jobs using a specified Git repository and to cause them to check out an attacker-specified commit, and to obtain information about the existence of jobs configured with this Git repository. Git Plugin 4.11.4 requires a token parameter which will act as an authentication for the webhook endpoint. While GET requests remain allowed, attackers would need to be able to provide a webhook token. For more information see the plugin documentation.

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
☕Maven	`org.jenkins-ci.plugins:git`	all versions	4.11.4

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for org.jenkins-ci.plugins:git. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update org.jenkins-ci.plugins:git to 4.11.4 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-v878-67xw-grw2 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-v878-67xw-grw2 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-v878-67xw-grw2. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

Git Plugin provides a webhook endpoint at `/git/notifyCommit` that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In Git Plugin 4.11.3 and earlier, this endpoint can be accessed with GET requests and without authentication. In addition to this basic functionality, the endpoint also accept a `sha1` parameter specifying a commit ID. If this parameter is specified, jobs configured with the specified repo will be trigger

O3 Security · Impact-Aware SCA

Is GHSA-v878-67xw-grw2 in your dependencies?

O3 detects GHSA-v878-67xw-grw2 across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works