GHSA-m4rm-x2rr-357w

Suggest an improvement
Source
https://github.com/advisories/GHSA-m4rm-x2rr-357w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-m4rm-x2rr-357w/GHSA-m4rm-x2rr-357w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-m4rm-x2rr-357w
Aliases
  • CVE-2024-28152
Published
2024-03-06T18:30:38Z
Modified
2024-11-07T19:22:05.678027Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Jenkins Bitbucket Branch Source Plugin has incorrect trust policy behavior for pull requests
Details

In Jenkins Bitbucket Branch Source Plugin 866.vdea7dcd3008e and earlier, except 848.850.v6aa2a234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.

Database specific
{
    "nvd_published_at": "2024-03-06T17:15:10Z",
    "cwe_ids": [
        "CWE-281"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-06T19:20:57Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source

Package

Name
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/cloudbees-bitbucket-branch-source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
871.v28d74e8b_4226

Affected versions

1.*

1.3
1.4
1.5
1.7
1.8
1.9

2.*

2.0.0-beta-1
2.0.0
2.0.1
2.0.2-beta-1
2.0.2
2.1.0
2.1.1-beta-1
2.1.1
2.1.2
2.2.0-alpha-1
2.2.0-alpha-4
2.2.0-beta-1
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.3.0
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.5.0
2.6.0
2.7.0
2.8.0
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.7.2
2.9.8
2.9.9
2.9.10
2.9.11
2.9.11.2

723.*

723.vbabdf19eb4c7

725.*

725.vd9f8be0fa250

726.*

726.vb0c1ea6c9336

731.*

731.v1f980b7eba32

734.*

734.v2f848c5e6ea2

737.*

737.vdf9dc06105be

746.*

746.v350d2781c184

751.*

751.vda_24678a_f781

756.*

756.v081ee2205040

757.*

757.vddedc5f2589a_

762.*

762.v969cfe087fc0

765.*

765.v5a_2d6a_23c01d

773.*

773.v4b_9b_005b_562b_

784.*

784.v7fcdc7c670f6

785.*

785.ve724eb_44e286

791.*

791.vb_eea_a_476405b

796.*

796.v6cb_1559e1673

800.*

800.va_b_b_9a_a_5035c1

803.*

803.vd9c5e84c41fa_

804.*

804.v8b_0642650b_d2

805.*

805.v7f97d29dc0f5

809.*

809.vc1d904b_30426

820.*

820.v30b_e8c1e36f3

825.*

825.va_6a_dc46a_f97d

832.*

832.v43175a_425ea_6

843.*

843.vd09104df7988

845.*

845.v27a_d5823911b_

848.*

848.v42c6a_317eda_e
848.850.v6a_a_2a_234a_c81

856.*

856.v04c46c86f911

866.*

866.vdea_7dcd3008e

Database specific

{
    "last_known_affected_version_range": "< 871.v28d74e8b4226"
}