CVE-2022-28133 — Cross-site Scripting in Project Jenkins Bitbucket Server Integration Plugin

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 57.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Bitbucket Server Integration Plugin Jenkins Bitbucket Server Integration

Timeline

PublishedMar 29

Latest updateMar 30

Description

Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create BitBucket Server consumers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_bitbucket_server_integration_plugin2.0.0 — unspecified+1

▶NVDjenkins/bitbucket3.1.0

🔴Vulnerability Details

OSV

Stored XSS vulnerability in Jenkins Bitbucket Server Integration Plugin↗2022-03-30

▶

GHSA

Stored XSS vulnerability in Jenkins Bitbucket Server Integration Plugin↗2022-03-30

▶

CVEList

CVE-2022-28133: Jenkins Bitbucket Server Integration Plugin 3↗2022-03-29

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-03-29↗2022-03-29

▶