The git client plugin provides JGit as part of the git client plugin so that other Jenkins plugins can use JGit classes and methods to access git repositories. JGit 5.13.1 depends on gson 2.8.8. The gson 2.8.8 library is included in the git client plugin as a transitive dependency.

The gson 2.8.8 library is vulnerable to CVE-2022-25647, a deserialization vulnerability. Because Jenkins does not allow deserialization of internal gson types through the JEP-200 allowlists, the vulnerability in gson 2.8.8 is unlikely to affect Jenkins. However, it would be good to update from gson 2.8.8 to gson 2.8.9 so that security scanners do not report it as a potential issue.