CVE-2024-28152: Jenkins Bitbucket Branch Source Plugin has incorrect trust policy behavior for pull requests

March 6, 2024 (updated November 7, 2024)

In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy “Forks in the same account” allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.

References

github.com/advisories/GHSA-m4rm-x2rr-357w
github.com/jenkinsci/bitbucket-branch-source-plugin
github.com/jenkinsci/bitbucket-branch-source-plugin/commit/28d74e8b4226bfc7524b412e34f7090784cc1a08
nvd.nist.gov/vuln/detail/CVE-2024-28152
www.jenkins.io/security/advisory/2024-03-06/

Code Behaviors & Features

Detect and mitigate CVE-2024-28152 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →