GHSA-qjw6-xvrm-5f2h

Source

https://github.com/advisories/GHSA-qjw6-xvrm-5f2h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-qjw6-xvrm-5f2h/GHSA-qjw6-xvrm-5f2h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qjw6-xvrm-5f2h

Aliases

CVE-2025-24398

Published

2025-01-22T18:31:55Z

Modified

2025-01-22T19:12:07.775257Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Bitbucket Server Integration Plugin allows bypassing CSRF protection for any URL

Details

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Bitbucket Server Integration Plugin implements this extension point to support OAuth 1.0 authentication.

In Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.

Bitbucket Server Integration Plugin 4.1.4 restricts which URLs it disables cross-site request forgery (CSRF) protection for to the URLs that needs it.

Database specific

{
    "github_reviewed_at": "2025-01-22T19:04:01Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "nvd_published_at": "2025-01-22T17:15:13Z",
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

Maven / io.jenkins.plugins:atlassian-bitbucket-server-integration

Package

Name: io.jenkins.plugins:atlassian-bitbucket-server-integration; View open source insights on deps.dev
Purl: pkg:maven/io.jenkins.plugins/atlassian-bitbucket-server-integration

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1.0

Fixed

4.1.4

Affected versions

2.*

2.1.0

2.1.1

2.1.2

2.1.3

3.*

3.0.0

3.0.1

3.0.2

3.1.0

3.2.0

3.2.1

3.2.2

3.2.3

3.3.0

3.3.1

3.3.2

3.4.1

3.4.2

3.5.0

3.6.0

4.*

4.0.0-alpha.1

4.0.0-beta.1

4.0.0

4.1.0

4.1.1

4.1.2

4.1.3