Key Exchange without Entity Authentication
Jenkins Git client Plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks.
Advisories for Maven/Org.jenkins-Ci.plugins/Git-Client package
2022
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Jenkins Git Client Plugin 2.8.4 and earlier and 3.0.0-rc does not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection.
Exposure of Sensitive Information to an Unauthorized Actor
Jenkins Git Client Plugin 2.4.2 and earlier creates temporary file with insecure permissions resulting in information disclosure