Base Score

HIGH7.1

CVE-2022-20619

A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

VectorNETWORK

Published Byjenkinsci-cert@googlegroups.com

Published DateJan 12, 2022, 20:15

Affected Versions(4)

org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source(Maven)

Introduced726.v7e6f53de133c

Fixed746.v350d2781c184

LimitN/A

org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source(Maven)

Introduced720.vbe985dd73d66

Fixed725.vd9f8be0fa250

LimitN/A

org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source(Maven)

Introduced2.9.8

Fixed2.9.11.2

LimitN/A

org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source(Maven)

Introduced0

Fixed2.9.7.2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source(Maven)	726.v7e6f53de133c	746.v350d2781c184	N/A
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source(Maven)	720.vbe985dd73d66	725.vd9f8be0fa250	N/A
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source(Maven)	2.9.8	2.9.11.2	N/A
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source(Maven)	0	2.9.7.2	N/A

Weakness Type (CWE):CWE-352

CVSS Metrics

Base Score

7.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

LOW

Availability (A)

NONE

References

Base Score

HIGH7.1

Weakness Type (CWE):CWE-352

CVSS Metrics

Base Score

7.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

LOW

Availability (A)

NONE

CVE-2022-20619

VectorNETWORK

Published Byjenkinsci-cert@googlegroups.com

Published DateJan 12, 2022, 20:15

Package (Ecosystem)

Introduced

Fixed

Limit

org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source(Maven)

726.v7e6f53de133c

746.v350d2781c184

N/A

org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source(Maven)

720.vbe985dd73d66

725.vd9f8be0fa250

N/A

org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source(Maven)

2.9.8

2.9.11.2

N/A

org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source(Maven)

2.9.7.2

N/A