CVE-2022-20619 – org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source

Package

Manager: maven
Name: org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source
Vulnerable Version: >=726.v7e6f53de133c <746.v350d2781c184 || >=720.vbe985dd73d66 <725.vd9f8be0fa250 || >=2.9.8 <2.9.11.2 || >=0 <2.9.7.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00218 pctl0.44376

Details

Cross-Site Request Forgery in Jenkins Bitbucket Branch Source Plugin Jenkins Bitbucket Branch Source Plugin prior to 746.v350d2781c184, 725.vd9f8be0fa250, 2.9.11.2, and 2.9.7.2 does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Bitbucket Branch Source Plugin 746.v350d2781c184, 725.vd9f8be0fa250, 2.9.11.2, and 2.9.7.2 requires POST requests for the affected HTTP endpoint.

Metadata

Created: 2022-01-13T00:01:00Z
Modified: 2023-05-24T17:27:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-w4jv-6rg4-pr4m/GHSA-w4jv-6rg4-pr4m.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-w4jv-6rg4-pr4m
Finding: F007
Auto approve: 1