The class handling unauthenticated Git post-commit hook notification requests at the /git/ path unnecessarily extended another type that handled requests to the .../search/ sub-path. This allowed submission of search queries to Jenkins, and getting a list of search results usually available to anyone with Overall/Read permission. In current Jenkins releases, those are typically the names of known users (both actual users of Jenkins, and known SCM committers) and nodes (master and agents). External References: https://jenkins.io/security/advisory/2018-02-26/