CVE-2022-28133: Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored cross-site…

medium5.4CVSS 3.1

AVNACLPRLUIRSCCLILAN

Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create BitBucket Server consumers.

Affected

17 ranges

Vendor	Product	Version range	Fixed in
jenkins	bitbucket_server_integration	<= 3.1.0	—
jenkins	bitbucket_server_integration_plugin	—	—
jenkins	complexity_scatter_plot_plugin	—	—
jenkins	continuous_integration_with_toad_edge_plugin	—	—
jenkins	flaky_test_handler_plugin	—	—
jenkins	jenkins_core	—	—
jenkins	jiratestresultreporter_plugin	—	—
jenkins	job_and_node_ownership_plugin	—	—
jenkins	phoenix_autotest_plugin	—	—
jenkins	proxmox_plugin	—	—
jenkins	rocketchat_notifier_plugin	—	—
jenkins	sitemonitor_plugin	—	—
jenkins	some_reports_generated_by_this_plugin	—	—
jenkins	tests_selector_plugin	—	—
jenkins	windows_in_continuous_integration_with_toad_edge_plugin	—	—
jenkins_project	jenkins_bitbucket_server_integration_plugin	>= 2.0.0 < unspecified	unspecified
jenkins_project	jenkins_bitbucket_server_integration_plugin	unspecified – 3.1.0	—