Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13NGp2LTZyZzQtcHI0bc0ikQ
Cross-Site Request Forgery in Jenkins Bitbucket Branch Source Plugin
Jenkins Bitbucket Branch Source Plugin prior to 746.v350d2781c184, 725.vd9f8be0fa250, 2.9.11.2, and 2.9.7.2 does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Bitbucket Branch Source Plugin 746.v350d2781c184, 725.vd9f8be0fa250, 2.9.11.2, and 2.9.7.2 requires POST requests for the affected HTTP endpoint.
Permalink: https://github.com/advisories/GHSA-w4jv-6rg4-pr4mJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13NGp2LTZyZzQtcHI0bc0ikQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 4 months ago
CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Identifiers: GHSA-w4jv-6rg4-pr4m, CVE-2022-20619
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-20619
- https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2467
- http://www.openwall.com/lists/oss-security/2022/01/12/6
- https://github.com/CVEProject/cvelist/blob/2d78eb36f4d084db7fb35f1535d8d84fdcb7d859/2022/20xxx/CVE-2022-20619.json
- https://github.com/jenkinsci/bitbucket-branch-source-plugin/commit/a596f651a4b3bfe31a087c4d392e81c0167ab551
- https://github.com/advisories/GHSA-w4jv-6rg4-pr4m
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source
Affected Version Ranges: < 2.9.7.2, >= 2.9.8, < 2.9.11.2, >= 720.vbe985dd73d66, < 725.vd9f8be0fa250, >= 726.v7e6f53de133c, < 746.v350d2781c184Fixed in: 2.9.7.2, 2.9.11.2, 725.vd9f8be0fa250, 746.v350d2781c184