CVE-2022-28133 – io.jenkins.plugins:atlassian-bitbucket-server-integration

Package

Manager: maven
Name: io.jenkins.plugins:atlassian-bitbucket-server-integration
Vulnerable Version: >=2.0.0 <3.2.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.31598 pctl0.9665

Details

Stored XSS vulnerability in Jenkins Bitbucket Server Integration Plugin Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create BitBucket Server consumers.

Metadata

Created: 2022-03-30T00:00:26Z
Modified: 2023-10-27T17:13:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-45v7-65q8-x294/GHSA-45v7-65q8-x294.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-45v7-65q8-x294
Finding: F425
Auto approve: 1