CVE-2024-28152
6.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Summary
In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Jenkins Project | Jenkins Bitbucket Branch Source Plugin | 871.v28d74e8b_4226 < * | unaffected |
| Jenkins Project | Jenkins Bitbucket Branch Source Plugin | 848.850.v6a_a_2a_234a_c81 | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300
- http://www.openwall.com/lists/oss-security/2024/03/06/3
References
- https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300
- http://www.openwall.com/lists/oss-security/2024/03/06/3
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.