CVE-2024-28152

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-28152
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-28152.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-28152
Aliases
Published
2024-03-06T17:15:10.637Z
Modified
2026-04-12T10:25:01.972133Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
Summary
[none]
Details

In Jenkins Bitbucket Branch Source Plugin 866.vdea7dcd3008e and earlier, except 848.850.v6aa2a234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.

References

Affected packages

Git / github.com/jenkinsci/bitbucket-branch-source-plugin

Affected ranges

Type
GIT
Repo
https://github.com/jenkinsci/bitbucket-branch-source-plugin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
6aa2a234ac81b6f4c6ca9ae6e465e4ff35dde071
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
04c46c86f911259d05c7055221919d9d59596086
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
dea7dcd3008e4fa2e524c06b228a7cf9c8e3907f
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "848.850.v6a_a_2a_234a_c81"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "856.v04c46c86f911"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "866.vdea_7dcd3008e"
        }
    ]
}

Affected versions

723.*
723.vbabdf19eb4c7
726.*
726.vb0c1ea6c9336
731.*
731.v1f980b7eba32
734.*
734.v2f848c5e6ea2
737.*
737.vdf9dc06105be
746.*
746.v350d2781c184
751.*
751.vda_24678a_f781
756.*
756.v081ee2205040
757.*
757.vddedc5f2589a_
762.*
762.v969cfe087fc0
765.*
765.v5a_2d6a_23c01d
773.*
773.v4b_9b_005b_562b_
784.*
784.v7fcdc7c670f6
785.*
785.ve724eb_44e286
791.*
791.vb_eea_a_476405b
796.*
796.v6cb_1559e1673
800.*
800.va_b_b_9a_a_5035c1
803.*
803.vd9c5e84c41fa_
804.*
804.v8b_0642650b_d2
805.*
805.v7f97d29dc0f5
809.*
809.vc1d904b_30426
820.*
820.v30b_e8c1e36f3
825.*
825.va_6a_dc46a_f97d
832.*
832.v43175a_425ea_6
843.*
843.vd09104df7988
845.*
845.v27a_d5823911b_
848.*
848.v42c6a_317eda_e
856.*
856.v04c46c86f911
866.*
866.vdea_7dcd3008e
cloudbees-bitbucket-branch-source-2.*
cloudbees-bitbucket-branch-source-2.0.2
cloudbees-bitbucket-branch-source-2.1.0
cloudbees-bitbucket-branch-source-2.1.1
cloudbees-bitbucket-branch-source-2.1.2
cloudbees-bitbucket-branch-source-2.2.0
cloudbees-bitbucket-branch-source-2.2.1
cloudbees-bitbucket-branch-source-2.2.10
cloudbees-bitbucket-branch-source-2.2.11
cloudbees-bitbucket-branch-source-2.2.12
cloudbees-bitbucket-branch-source-2.2.13
cloudbees-bitbucket-branch-source-2.2.14
cloudbees-bitbucket-branch-source-2.2.15
cloudbees-bitbucket-branch-source-2.2.16
cloudbees-bitbucket-branch-source-2.2.2
cloudbees-bitbucket-branch-source-2.2.3
cloudbees-bitbucket-branch-source-2.2.4
cloudbees-bitbucket-branch-source-2.2.5
cloudbees-bitbucket-branch-source-2.2.6
cloudbees-bitbucket-branch-source-2.2.7
cloudbees-bitbucket-branch-source-2.2.8
cloudbees-bitbucket-branch-source-2.2.9
cloudbees-bitbucket-branch-source-2.3.0
cloudbees-bitbucket-branch-source-2.4.0
cloudbees-bitbucket-branch-source-2.4.1
cloudbees-bitbucket-branch-source-2.4.2
cloudbees-bitbucket-branch-source-2.4.3
cloudbees-bitbucket-branch-source-2.4.4
cloudbees-bitbucket-branch-source-2.4.5
cloudbees-bitbucket-branch-source-2.4.6
cloudbees-bitbucket-branch-source-2.5.0
cloudbees-bitbucket-branch-source-2.6.0
cloudbees-bitbucket-branch-source-2.7.0
cloudbees-bitbucket-branch-source-2.8.0
cloudbees-bitbucket-branch-source-2.9.0
cloudbees-bitbucket-branch-source-2.9.1
cloudbees-bitbucket-branch-source-2.9.10
cloudbees-bitbucket-branch-source-2.9.11
cloudbees-bitbucket-branch-source-2.9.12
cloudbees-bitbucket-branch-source-2.9.2
cloudbees-bitbucket-branch-source-2.9.3
cloudbees-bitbucket-branch-source-2.9.4
cloudbees-bitbucket-branch-source-2.9.5
cloudbees-bitbucket-branch-source-2.9.6
cloudbees-bitbucket-branch-source-2.9.7
cloudbees-bitbucket-branch-source-2.9.8
cloudbees-bitbucket-branch-source-2.9.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-28152.json"
vanir_signatures_modified 
"2026-04-12T10:25:01Z"
vanir_signatures 
[
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/jenkinsci/bitbucket-branch-source-plugin/commit/6aa2a234ac81b6f4c6ca9ae6e465e4ff35dde071",
        "digest": {
            "function_hash": "66523165340550917703522118877406842793",
            "length": 264.0
        },
        "id": "CVE-2024-28152-cc10ffda",
        "deprecated": false,
        "target": {
            "file": "src/main/java/com/cloudbees/jenkins/plugins/bitbucket/ForkPullRequestDiscoveryTrait.java",
            "function": "checkTrusted"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/jenkinsci/bitbucket-branch-source-plugin/commit/6aa2a234ac81b6f4c6ca9ae6e465e4ff35dde071",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "30890580078752889672481009885636430360",
                "229402029620681632373804298718475472446",
                "256905793418602869343659903632231533641",
                "212546324705304523228493246612319086967"
            ]
        },
        "id": "CVE-2024-28152-f7826a9c",
        "deprecated": false,
        "target": {
            "file": "src/main/java/com/cloudbees/jenkins/plugins/bitbucket/ForkPullRequestDiscoveryTrait.java"
        }
    }
]