CVE-2022-28134 — Missing Authorization in Project Jenkins Bitbucket Server Integration Plugin

CWE-862 — Missing Authorization5 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

0.1%

top 83.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Bitbucket Server Integration Plugin Jenkins Bitbucket Server Integration

Timeline

PublishedMar 29

Latest updateMar 30

Description

Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to create, view, and delete BitBucket Server consumers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_bitbucket_server_integration_pluginunspecified — 3.1.0

▶NVDjenkins/bitbucket3.1.0

🔴Vulnerability Details

GHSA

Missing permission checks in Jekins Bitbucket Server Integration Plugin↗2022-03-30

▶

OSV

Missing permission checks in Jekins Bitbucket Server Integration Plugin↗2022-03-30

▶

CVEList

CVE-2022-28134: Jenkins Bitbucket Server Integration Plugin 3↗2022-03-29

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-03-29↗2022-03-29

▶