GHSA-w4jv-6rg4-pr4m

Source

https://github.com/advisories/GHSA-w4jv-6rg4-pr4m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-w4jv-6rg4-pr4m/GHSA-w4jv-6rg4-pr4m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w4jv-6rg4-pr4m

Aliases

CVE-2022-20619

Published

2022-01-13T00:01:00Z

Modified

2024-02-16T08:08:58.837641Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N CVSS Calculator

Summary

Cross-Site Request Forgery in Jenkins Bitbucket Branch Source Plugin

Details

Jenkins Bitbucket Branch Source Plugin prior to 746.v350d2781c184, 725.vd9f8be0fa250, 2.9.11.2, and 2.9.7.2 does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Bitbucket Branch Source Plugin 746.v350d2781c184, 725.vd9f8be0fa250, 2.9.11.2, and 2.9.7.2 requires POST requests for the affected HTTP endpoint.

Database specific

{
    "nvd_published_at": "2022-01-12T20:15:00Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-20T22:49:06Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source

Package

Name: org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/cloudbees-bitbucket-branch-source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

726.v7e6f53de133c

Fixed

746.v350d2781c184

Affected versions

726.*

726.vb0c1ea6c9336

731.*

731.v1f980b7eba32

734.*

734.v2f848c5e6ea2

737.*

737.vdf9dc06105be

Maven / org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source

Package

Name: org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/cloudbees-bitbucket-branch-source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

720.vbe985dd73d66

Fixed

725.vd9f8be0fa250

Affected versions

723.*

723.vbabdf19eb4c7

Maven / org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source

Package

Name: org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/cloudbees-bitbucket-branch-source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.9.8

Fixed

2.9.11.2

Affected versions

2.*

2.9.8

2.9.9

2.9.10

2.9.11

Maven / org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source

Package

Name: org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/cloudbees-bitbucket-branch-source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.9.7.2

Affected versions

1.*

1.3

1.4

1.5

1.7

1.8

1.9

2.*

2.0.0-beta-1

2.0.0

2.0.1

2.0.2-beta-1

2.0.2

2.1.0

2.1.1-beta-1

2.1.1

2.1.2

2.2.0-alpha-1

2.2.0-alpha-4

2.2.0-beta-1

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.15

2.2.16

2.3.0

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.5.0

2.6.0

2.7.0

2.8.0

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7