CVE-2025-24398 – io.jenkins.plugins:atlassian-bitbucket-server-integration

Package

Manager: maven
Name: io.jenkins.plugins:atlassian-bitbucket-server-integration
Vulnerable Version: >=2.1.0 <4.1.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00129 pctl0.33077

Details

Bitbucket Server Integration Plugin allows bypassing CSRF protection for any URL An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Bitbucket Server Integration Plugin implements this extension point to support OAuth 1.0 authentication. In Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL. Bitbucket Server Integration Plugin 4.1.4 restricts which URLs it disables cross-site request forgery (CSRF) protection for to the URLs that needs it.

Metadata

Created: 2025-01-22T18:31:55Z
Modified: 2025-01-22T19:04:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-qjw6-xvrm-5f2h/GHSA-qjw6-xvrm-5f2h.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-qjw6-xvrm-5f2h
Finding: F007
Auto approve: 1