Improper Authorization Affecting org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source package, versions [,871.v28d74e8b_4226)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGJENKINSCIPLUGINS-6405825
- published 7 Mar 2024
- disclosed 7 Mar 2024
- credit Anders Hammar
Introduced: 7 Mar 2024
CVE-2024-28152 Open this link in a new tabHow to fix?
Upgrade org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source to version 871.v28d74e8b_4226 or higher.
Overview
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source is a package that allows to discover and build Bitbucket Cloud and Bitbucket Server pull requests and branches and send status notifications with the build result.
Affected versions of this package are vulnerable to Improper Authorization such that Multibranch Pipelines with Bitbucket branch source can be configured to discover pull requests from forks. The trust policy is set to "Forks in the same account" by default.
This trust policy allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server. This allows attackers able to submit pull requests from forks to change the Pipeline behavior.
Note:
Pipelines using Bitbucket Cloud are unaffected by this issue.