CVE-2024-28152

Name
CVE-2024-28152
Description
In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
vendor-advisory https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300
jenkinsci-cert@googlegroups.com http://www.openwall.com/lists/oss-security/2024/03/06/3

Match rules

CPE URI Source package Min version Max version
jenkins-bitbucket-branch-source-plugin >= 871.v28d74e8b_4226 < *
jenkins-bitbucket-branch-source-plugin == 848.850.v6a_a_2a_234a_c81 == 848.850.v6a_a_2a_234a_c81
cpe:2.3:a:jenkins:bitbucket_branch_source:*:*:*:*:*:jenkins:*:* jenkins >= None < 848.850.v6a_a_2a_234a_c81
cpe:2.3:a:jenkins:bitbucket_branch_source:856.v04c46c86f911:*:*:*:*:jenkins:*:* jenkins == None == 856.v04c46c86f911
cpe:2.3:a:jenkins:bitbucket_branch_source:866.vdea_7dcd3008e:*:*:*:*:jenkins:*:* jenkins == None == 866.vdea_7dcd3008e

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
jenkins edge-community 2.479.1-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
jenkins edge-community 2.479.1-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
jenkins edge-community 2.516.1-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
jenkins 3.22-community 2.479.1-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
jenkins 3.22-community 2.479.1-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable