Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tNHJtLXgycnItMzU3d84AA5zW
Jenkins Bitbucket Branch Source Plugin has incorrect trust policy behavior for pull requests
In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.
Permalink: https://github.com/advisories/GHSA-m4rm-x2rr-357wJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tNHJtLXgycnItMzU3d84AA5zW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 24 days ago
CVSS Score: 6.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-m4rm-x2rr-357w, CVE-2024-28152
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-28152
- https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300
- https://github.com/jenkinsci/bitbucket-branch-source-plugin/commit/28d74e8b4226bfc7524b412e34f7090784cc1a08
- http://www.openwall.com/lists/oss-security/2024/03/06/3
- https://github.com/advisories/GHSA-m4rm-x2rr-357w
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source
Affected Version Ranges: < 871.v28d74e8b4226Fixed in: 871.v28d74e8b_4226