Base Score

MEDIUM6.3

CVE-2024-28152

In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.

VectorNETWORK

Published Byjenkinsci-cert@googlegroups.com

Published DateMar 06, 2024, 17:15

Affected Versions(1)

org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source(Maven)

Introduced0

Fixed871.v28d74e8b_4226

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source(Maven)	0	871.v28d74e8b_4226	N/A

Weakness Type (CWE):CWE-281

CVSS Metrics

Base Score

6.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

LOW

References

Base Score

MEDIUM6.3

Weakness Type (CWE):CWE-281

CVSS Metrics

Base Score

6.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

LOW