Cross-site Request Forgery (CSRF) Affecting org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source package, versions [,2.9.11.2)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGJENKINSCIPLUGINS-2359985
- published 25 Jan 2022
- disclosed 12 Jan 2022
- credit Unknown
Introduced: 12 Jan 2022
CVE-2022-20619 Open this link in a new tabHow to fix?
Upgrade org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source to version 2.9.11.2 or higher.
Overview
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source is a package that allows to discover and build Bitbucket Cloud and Bitbucket Server pull requests and branches and send status notifications with the build result.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) by not enforcing POST requests to an HTTP endpoint, which could allow the exfiltration of credentials sent as part of the request. This allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.