Azure DevOps service hooks Git Build fails to authorize

Using Jenkins
1

I’ve also created an issue on https://issues.jenkins.io/browse/JENKINS-70902
After upgrading Jenkins from version 2.332.x to 2.387.1 Azure Devops service hooks on code push event become unauthorized. It use Built-in Jenkins API. Git plugin version 5.0.0

Environment:
Jenkins 2.387.1, Git plugin version 5.0.0
openjdk version “11.0.18” 2023-01-17
OpenJDK Runtime Environment (build 11.0.18+10-post-Ubuntu-0ubuntu118.04.1)
OpenJDK 64-Bit Server VM (build 11.0.18+10-post-Ubuntu-0ubuntu118.04.1, mixed mo de, sharing)
Ubuntu 18.04.6 LTS
environment is not containerized.
No Azure DevOps(TFS) plugin installed in Jenkins.

It would be great, if someone provide me help in finding reason and how to mitigate this issue ?

2

If the Azure DevOps service hook is calling the /git/notifyCommit end point of the git plugin, then that is an intentional change of behavior in the git plugin. That change of behavior resolves a security vulnerability that is described in

That vulnerability exists in git plugin versions 4.11.3 and earlier. More details on the situation and your alternatives are available in the git plugin documentation.

3

Thank you Mark for your answer,
You are right, Azure DevOps use /git/nofifyCommit endpoint. As described here Create a service hook with Jenkins - Azure DevOps | Microsoft Learn
I use Jenkins auth token.
Request:

Method: GET
URI: https://somejenkins.com/git/notifyCommit?url=https:%2F%2Ffabrikam-fiber-inc.visualstudio.com%2FDefaultCollection%2F_git%2FFabrikam-Fiber-Git&sha1=secretvalue&branches=master
HTTP Version: 1.1
Headers:
{
  X-VSS-ActivityId: c78fb927-7382-xxxx-xxxx-e8173861d901
  X-VSS-SubscriptionId: ef6c4ebc-af55-xxxx-xxxx-f961f2dbbf15
  User-Agent: VSServices/19.219.33519.3
  User-Agent: (w3wp.exe)
  Authorization: Basic ********
}

Response:

Status Code: 401
Reason Phrase: Unauthorized
HTTP Version: 1.1
Headers:
{
  Connection: keep-alive
  X-Content-Type-Options: nosniff
  Cache-Control: no-store, must-revalidate, no-cache
  Date: Fri, 31 Mar 2023 11:15:16 GMT
  Server: nginx/1.14.0
  Server: (Ubuntu)
  Content-Length: 925
  Content-Type: text/html; charset=iso-8859-1
}

I’m going to read in more detail to understand the sentence " Git Plugin 4.11.4 requires a token parameter which will act as an authentication for the webhook endpoint. While GET requests remain allowed, attackers would need to be able to provide a webhook token. For more information see the plugin documentation."

Thank you.