Jenkins Git client plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks. Git client Plugin 3.11.1 provides strategies for performing host key verification for administrators to select the one that meets their security needs. For more information see [the plugin documentation](https://github.com/jenkinsci/git-client-plugin#ssh-host-key-verification).

Affected Packages

Maven org.jenkins-ci.plugins:git-client

Affected versions: 0 (fixed in 3.11.1)

Related CVEs

CVE-2022-36881

Key Information

GHSA ID

GHSA-cm7j-p8hc-97vj

Published

July 28, 2022 12:00 AM

Last Modified

December 12, 2022 8:36 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:git-client

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.