GHSA-w2mh-6xj5-f77f

Source

https://github.com/advisories/GHSA-w2mh-6xj5-f77f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-w2mh-6xj5-f77f/GHSA-w2mh-6xj5-f77f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w2mh-6xj5-f77f

Aliases

CVE-2022-20618

Published

2022-01-13T00:01:02Z

Modified

2024-02-16T08:17:02.640323Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Incorrect Permission Assignment for Critical Resource in Jenkins Bitbucket Branch Source Plugin

Details

Jenkins Bitbucket Branch Source Plugin prior to 746.v350d2781c184, 725.vd9f8be0fa250, 2.9.11.2, and 2.9.7.2 does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Bitbucket Branch Source Plugin 746.v350d2781c184, 725.vd9f8be0fa250, 2.9.11.2, and 2.9.7.2 requires the appropriate permissions.

Database specific

{
    "nvd_published_at": "2022-01-12T20:15:00Z",
    "cwe_ids": [
        "CWE-732",
        "CWE-862"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-20T22:49:18Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source

Package

Name: org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/cloudbees-bitbucket-branch-source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

726.v7e6f53de133c

Fixed

746.v350d2781c184

Affected versions

726.*

726.vb0c1ea6c9336

731.*

731.v1f980b7eba32

734.*

734.v2f848c5e6ea2

737.*

737.vdf9dc06105be

Maven / org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source

Package

Name: org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/cloudbees-bitbucket-branch-source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

720.vbe985dd73d66

Fixed

725.vd9f8be0fa250

Affected versions

723.*

723.vbabdf19eb4c7

Maven / org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source

Package

Name: org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/cloudbees-bitbucket-branch-source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.9.8

Fixed

2.9.11.2

Affected versions

2.*

2.9.8

2.9.9

2.9.10

2.9.11

Maven / org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source

Package

Name: org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/cloudbees-bitbucket-branch-source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.9.7.2

Affected versions

1.*

1.3

1.4

1.5

1.7

1.8

1.9

2.*

2.0.0-beta-1

2.0.0

2.0.1

2.0.2-beta-1

2.0.2

2.1.0

2.1.1-beta-1

2.1.1

2.1.2

2.2.0-alpha-1

2.2.0-alpha-4

2.2.0-beta-1

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.15

2.2.16

2.3.0

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.5.0

2.6.0

2.7.0

2.8.0

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7