I’ve also created an issue on https://issues.jenkins.io/browse/JENKINS-70902
After upgrading Jenkins from version 2.332.x to 2.387.1 Azure Devops service hooks on code push event become unauthorized. It use Built-in Jenkins API. Git plugin version 5.0.0
Jenkins 2.387.1, Git plugin version 5.0.0
openjdk version “11.0.18” 2023-01-17
OpenJDK Runtime Environment (build 11.0.18+10-post-Ubuntu-0ubuntu118.04.1)
OpenJDK 64-Bit Server VM (build 11.0.18+10-post-Ubuntu-0ubuntu118.04.1, mixed mo de, sharing)
Ubuntu 18.04.6 LTS
environment is not containerized.
No Azure DevOps(TFS) plugin installed in Jenkins.
It would be great, if someone provide me help in finding reason and how to mitigate this issue ?
If the Azure DevOps service hook is calling the /git/notifyCommit end point of the git plugin, then that is an intentional change of behavior in the git plugin. That change of behavior resolves a security vulnerability that is described in
That vulnerability exists in git plugin versions 4.11.3 and earlier. More details on the situation and your alternatives are available in the git plugin documentation.
I’m going to read in more detail to understand the sentence " Git Plugin 4.11.4 requires a token parameter which will act as an authentication for the webhook endpoint. While GET requests remain allowed, attackers would need to be able to provide a webhook token. For more information see the plugin documentation."