CVE-2024-28152

In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.

CVSS v3 6.3 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/03/06/3	Mailing List Third Party Advisory
https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300	Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/03/06/3	Mailing List Third Party Advisory
https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:jenkins:bitbucket_branch_source::::::jenkins::*
	cpe:2.3:a:jenkins:bitbucket_branch_source:856.v04c46c86f911:::::jenkins::
	cpe:2.3:a:jenkins:bitbucket_branch_source:866.vdea_7dcd3008e:::::jenkins::

History

18 Sep 2025, 16:27

Type	Values Removed	Values Added
CPE		cpe:2.3:a:jenkins:bitbucket_branch_source:856.v04c46c86f911:::::jenkins:: cpe:2.3:a:jenkins:bitbucket_branch_source::::::jenkins::* cpe:2.3:a:jenkins:bitbucket_branch_source:866.vdea_7dcd3008e:::::jenkins::
First Time		Jenkins bitbucket Branch Source Jenkins
References	~~() http://www.openwall.com/lists/oss-security/2024/03/06/3 -~~	() http://www.openwall.com/lists/oss-security/2024/03/06/3 - Mailing List, Third Party Advisory
References	~~() https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300 -~~	() https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300 - Vendor Advisory

Information

Published : 2024-03-06 17:15

Updated : 2025-09-18 16:27

NVD link : CVE-2024-28152

Mitre link : CVE-2024-28152

CVE.ORG link : CVE-2024-28152

JSON object : View

Products Affected

jenkins

bitbucket_branch_source

CWE

CWE-281

Improper Preservation of Permissions

{"id": "CVE-2024-28152", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}]}, "published": "2024-03-06T17:15:10.637", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/03/06/3", "tags": ["Mailing List", "Third Party Advisory"], "source": "jenkinsci-cert@googlegroups.com"}, {"url": "https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300", "tags": ["Vendor Advisory"], "source": "jenkinsci-cert@googlegroups.com"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/06/3", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-281"}]}], "descriptions": [{"lang": "en", "value": "In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy \"Forks in the same account\" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server."}, {"lang": "es", "value": "En el complemento Jenkins Bitbucket Branch Source 866.vdea_7dcd3008e y versiones anteriores, excepto 848.850.v6a_a_2a_234a_c81, al descubrir solicitudes de extracci\u00f3n de bifurcaciones, la pol\u00edtica de confianza \"Bifurcaciones en la misma cuenta\" permite cambios en los archivos Jenkins de usuarios sin acceso de escritura al proyecto cuando se usa Bitbucket Server. ."}], "lastModified": "2025-09-18T16:27:55.487", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:bitbucket_branch_source:*:*:*:*:*:jenkins:*:*", "vulnerable": true, "matchCriteriaId": "41FA8486-E8AD-45FC-8C27-9066914AE876", "versionEndExcluding": "848.850.v6a_a_2a_234a_c81"}, {"criteria": "cpe:2.3:a:jenkins:bitbucket_branch_source:856.v04c46c86f911:*:*:*:*:jenkins:*:*", "vulnerable": true, "matchCriteriaId": "6DEC4DC0-8FB8-44BC-B354-743DF65D4717"}, {"criteria": "cpe:2.3:a:jenkins:bitbucket_branch_source:866.vdea_7dcd3008e:*:*:*:*:jenkins:*:*", "vulnerable": true, "matchCriteriaId": "86FE3E61-F431-4326-9718-113B2ED34F11"}], "operator": "OR"}]}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com"}