Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-28152

In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.

Published

2024-03-06T17:15:10.637

Last Modified

2025-09-18T16:27:55.487

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-281

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	jenkins	bitbucket_branch_source	< 848.850.v6a_a_2a_234a_c81	Yes
Application	jenkins	bitbucket_branch_source	856.v04c46c86f911	Yes
Application	jenkins	bitbucket_branch_source	866.vdea_7dcd3008e	Yes

References

http://www.openwall.com/lists/oss-security/2024/03/06/3 Mailing List, Third Party Advisory ([email protected])
https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300 Vendor Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2024/03/06/3 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)