CVE-2024-28152

CWE-281 CWE-5016 documents6 sources

Severity

6.3MEDIUM

EPSS

0.0%

top 90.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Bitbucket Branch Source

Timeline

PublishedMar 6

Description

In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages2 packages

▶Mavenorg.jenkins-ci.plugins:cloudbees-bitbucket-branch-source< 871.v28d74e8b_4226

▶NVDjenkins/bitbucket_branch_source< 848.850.v6a_a_2a_234a_c81+2

🔴Vulnerability Details

OSV

Jenkins Bitbucket Branch Source Plugin has incorrect trust policy behavior for pull requests↗2024-03-06

▶

GHSA

Jenkins Bitbucket Branch Source Plugin has incorrect trust policy behavior for pull requests↗2024-03-06

▶

CVEList

CVE-2024-28152: In Jenkins Bitbucket Branch Source Plugin 866↗2024-03-06

▶

📋Vendor Advisories

Red Hat

jenkins-2-plugins: Incorrect trust policy behavior for pull requests from forks in Bitbucket Branch Source Plugin↗2024-03-06

▶

Jenkins

Jenkins Security Advisory 2024-03-06↗2024-03-06

▶