GHSA-45v7-65q8-x294

Source

https://github.com/advisories/GHSA-45v7-65q8-x294

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-45v7-65q8-x294/GHSA-45v7-65q8-x294.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-45v7-65q8-x294

Aliases

CVE-2022-28133

Published

2022-03-30T00:00:26Z

Modified

2024-02-16T08:20:10.258794Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Stored XSS vulnerability in Jenkins Bitbucket Server Integration Plugin

Details

Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create BitBucket Server consumers.

Database specific

{
    "nvd_published_at": "2022-03-29T13:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-29T21:49:49Z"
}

References

Affected packages

Maven / io.jenkins.plugins:atlassian-bitbucket-server-integration

Package

Name: io.jenkins.plugins:atlassian-bitbucket-server-integration; View open source insights on deps.dev
Purl: pkg:maven/io.jenkins.plugins/atlassian-bitbucket-server-integration

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

3.2.0

Affected versions

2.*

2.0.0

2.0.1

2.1.0

2.1.1

2.1.2

2.1.3

3.*

3.0.0

3.0.1

3.0.2

3.1.0