Lucene search

GitHub Advisory DatabaseGHSA-M4RM-X2RR-357W

HistoryMar 06, 2024 - 6:30 p.m.

Jenkins Bitbucket Branch Source Plugin has incorrect trust policy behavior for pull requests

2024-03-0618:30:38

GitHub Advisory Database

github.com

jenkins

bitbucket

branch source plugin

trust policy

pull requests

forks

jenkinsfiles

users

write access

bitbucket server

software

6.4 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy “Forks in the same account” allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.

Affected configurations

Vulners

Node

jenkinsbitbucket_branch_sourceRange<871.v28d74e8b4226jenkins

CPENameOperatorVersion
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-sourcelt871.v28d74e8b4226

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source	lt	871.v28d74e8b4226

References

www.openwall.com/lists/oss-security/2024/03/06/3

github.com/advisories/GHSA-m4rm-x2rr-357w

github.com/jenkinsci/bitbucket-branch-source-plugin/commit/28d74e8b4226bfc7524b412e34f7090784cc1a08

nvd.nist.gov/vuln/detail/CVE-2024-28152

www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300