- Description
- In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.
- Source
- jenkinsci-cert@googlegroups.com
- NVD status
- Analyzed
- Products
- bitbucket_branch_source
CVSS 3.1
- Type
- Secondary
- Base score
- 6.3
- Impact score
- 3.4
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
- Severity
- MEDIUM
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-281
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jenkins:bitbucket_branch_source:*:*:*:*:*:jenkins:*:*",
"vulnerable": true,
"matchCriteriaId": "41FA8486-E8AD-45FC-8C27-9066914AE876",
"versionEndExcluding": "848.850.v6a_a_2a_234a_c81"
},
{
"criteria": "cpe:2.3:a:jenkins:bitbucket_branch_source:856.v04c46c86f911:*:*:*:*:jenkins:*:*",
"vulnerable": true,
"matchCriteriaId": "6DEC4DC0-8FB8-44BC-B354-743DF65D4717"
},
{
"criteria": "cpe:2.3:a:jenkins:bitbucket_branch_source:866.vdea_7dcd3008e:*:*:*:*:jenkins:*:*",
"vulnerable": true,
"matchCriteriaId": "86FE3E61-F431-4326-9718-113B2ED34F11"
}
],
"operator": "OR"
}
]
}
]