GHSA-m4rm-x2rr-357w

Source

https://github.com/advisories/GHSA-m4rm-x2rr-357w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-m4rm-x2rr-357w/GHSA-m4rm-x2rr-357w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m4rm-x2rr-357w

Aliases

CVE-2024-28152

Published

2024-03-06T18:30:38Z

Modified

2024-11-07T19:22:05.678027Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

Jenkins Bitbucket Branch Source Plugin has incorrect trust policy behavior for pull requests

Details

In Jenkins Bitbucket Branch Source Plugin 866.vdea7dcd3008e and earlier, except 848.850.v6aa2a234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.

Database specific

{
    "github_reviewed_at": "2024-03-06T19:20:57Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-281"
    ],
    "nvd_published_at": "2024-03-06T17:15:10Z",
    "severity": "MODERATE"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source

Package

Name: org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/cloudbees-bitbucket-branch-source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

871.v28d74e8b_4226

Affected versions

1.*

1.3

1.4

1.5

1.7

1.8

1.9

2.*

2.0.0-beta-1

2.0.0

2.0.1

2.0.2-beta-1

2.0.2

2.1.0

2.1.1-beta-1

2.1.1

2.1.2

2.2.0-alpha-1

2.2.0-alpha-4

2.2.0-beta-1

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.15

2.2.16

2.3.0

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.5.0

2.6.0

2.7.0

2.8.0

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.7.2

2.9.8

2.9.9

2.9.10

2.9.11

2.9.11.2

723.*

723.vbabdf19eb4c7

725.*

725.vd9f8be0fa250

726.*

726.vb0c1ea6c9336

731.*

731.v1f980b7eba32

734.*

734.v2f848c5e6ea2

737.*

737.vdf9dc06105be

746.*

746.v350d2781c184

751.*

751.vda_24678a_f781

756.*

756.v081ee2205040

757.*

757.vddedc5f2589a_

762.*

762.v969cfe087fc0

765.*

765.v5a_2d6a_23c01d

773.*

773.v4b_9b_005b_562b_

784.*

784.v7fcdc7c670f6

785.*

785.ve724eb_44e286

791.*

791.vb_eea_a_476405b

796.*

796.v6cb_1559e1673

800.*

800.va_b_b_9a_a_5035c1

803.*

803.vd9c5e84c41fa_

804.*

804.v8b_0642650b_d2

805.*

805.v7f97d29dc0f5

809.*

809.vc1d904b_30426

820.*

820.v30b_e8c1e36f3

825.*

825.va_6a_dc46a_f97d

832.*

832.v43175a_425ea_6

843.*

843.vd09104df7988

845.*

845.v27a_d5823911b_

848.*

848.v42c6a_317eda_e

848.850.v6a_a_2a_234a_c81

856.*

856.v04c46c86f911

866.*

866.vdea_7dcd3008e

Database specific

last_known_affected_version_range

"< 871.v28d74e8b4226"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-m4rm-x2rr-357w/GHSA-m4rm-x2rr-357w.json"