CVE-2024-28152

EUVD-2024-0958
In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CISA-ADPADP
6.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
Affected Products (NVD)
VendorProductVersion
jenkinsbitbucket_branch_source
𝑥
< 848.850.v6a_a_2a_234a_c81
jenkinsbitbucket_branch_source
856.v04c46c86f911:v04c46c86f911
jenkinsbitbucket_branch_source
866.vdea_7dcd3008e:vdea_7dcd3008e
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2024/03/06/3
https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300
http://www.openwall.com/lists/oss-security/2024/03/06/3
https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300