Bug 2044478 (CVE-2022-20619)
| Summary: | CVE-2022-20619 jenkins-2-plugins/cloudbees-bitbucket-branch-source: no POST request is required for an http endpoint which could allow capturing credentials stored in Jenkins | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abenaiss, bmontgom, eparis, jburrell, jokerman, nstielau, sponnaga, vkumar |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | cloudbees-bitbucket-branch-source 746.v350d2781c184 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A Cross-site request forgery (CSRF) vulnerability was found in the Jenkins Bitbucket Branch Source plugin. In the HTTP endpoint, the POST requests are not required. This flaw allows an attacker with Overall/Read access to connect to an attacker-specified URL (using attacker-specified credentials IDs), capturing credentials stored in Jenkins.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2044952, 2047839 | ||
| Bug Blocks: | 2044461 | ||
|
Description
Michael Kaplan
2022-01-24 16:59:14 UTC
|