{"containers": {"cna": {"affected": [{"product": "Jenkins Bitbucket Branch Source Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "737.vdf9dc06105be", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"status": "unaffected", "version": "725.vd9f8be0fa250"}, {"status": "unaffected", "version": "2.9.11.2"}, {"status": "unaffected", "version": "2.9.7.2"}]}], "descriptions": [{"lang": "en", "value": "A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T14:19:08.153Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2467"}, {"name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2022-20619", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins Bitbucket Branch Source Plugin", "version": {"version_data": [{"version_affected": "<=", "version_value": "737.vdf9dc06105be"}, {"version_affected": "!", "version_value": "725.vd9f8be0fa250"}, {"version_affected": "!", "version_value": "2.9.11.2"}, {"version_affected": "!", "version_value": "2.9.7.2"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2467", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2467"}, {"name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:17:52.944Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2467"}, {"name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2022-20619", "datePublished": "2022-01-12T19:05:56", "dateReserved": "2021-10-28T00:00:00", "dateUpdated": "2024-08-03T02:17:52.944Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:bitbucket_branch_source:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "0776E22C-4717-476C-8E40-9E580AFA7403", "versionEndIncluding": "2.9.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:bitbucket_branch_source:737.vdf9dc06105be:*:*:*:*:jenkins:*:*", "matchCriteriaId": "AD2AC10D-1854-4E1D-9230-78ED6FF7D36F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins."}, {"lang": "es", "value": "Una vulnerabilidad de tipo cross-site request forgery (CSRF) en Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be y anteriores permite a atacantes conectarse a una URL especificada por el atacante usando IDs de credenciales especificados por el atacante obtenidos a trav\u00e9s de otro m\u00e9todo, capturando credenciales almacenadas en Jenkins"}], "id": "CVE-2022-20619", "lastModified": "2024-11-21T06:43:10.413", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-12T20:15:09.007", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2467"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2467"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "jenkins-2-plugins/cloudbees-bitbucket-branch-source: no POST request is required for an http endpoint which could allow capturing credentials stored in Jenkins", "id": "2044478", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044478"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-352", "details": ["A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", "A Cross-site request forgery (CSRF) vulnerability was found in the Jenkins Bitbucket Branch Source plugin. In the HTTP endpoint, the POST requests are not required. This flaw allows an attacker with Overall/Read access to connect to an attacker-specified URL (using attacker-specified credentials IDs), capturing credentials stored in Jenkins."], "name": "CVE-2022-20619", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2022-01-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-20619\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-20619\nhttps://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2467"], "threat_severity": "Moderate", "upstream_fix": "cloudbees-bitbucket-branch-source 746.v350d2781c184"}