Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tNHJtLXgycnItMzU3d84AA5zW

Jenkins Bitbucket Branch Source Plugin has incorrect trust policy behavior for pull requests

In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.

Permalink: https://github.com/advisories/GHSA-m4rm-x2rr-357w
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tNHJtLXgycnItMzU3d84AA5zW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 month ago
Updated: about 1 month ago


CVSS Score: 6.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Identifiers: GHSA-m4rm-x2rr-357w, CVE-2024-28152
References: Repository: https://github.com/jenkinsci/bitbucket-branch-source-plugin
Blast Radius: 1.0

Affected Packages

maven:org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source
Affected Version Ranges: < 871.v28d74e8b4226
Fixed in: 871.v28d74e8b_4226