2268226 – (CVE-2024-28152) CVE-2024-28152 jenkins-2-plugins: Incorrect trust policy behavior for pull requests from forks in Bitbucket Branch Source Plugin

Bug 2268226 (CVE-2024-28152) - CVE-2024-28152 jenkins-2-plugins: Incorrect trust policy behavior for pull requests from forks in Bitbucket Branch Source Plugin

Summary: CVE-2024-28152 jenkins-2-plugins: Incorrect trust policy behavior for pull re...

Keywords:
Status:	NEW
Alias:	CVE-2024-28152
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2268252
TreeView+	depends on / blocked

Reported:	2024-03-06 17:29 UTC by Pedro Sampaio
Modified:	2024-11-30 08:27 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2024-03-06 17:29:04 UTC

Multibranch Pipelines with Bitbucket branch source can be configured to discover pull requests from forks. The trust policy is set to "Forks in the same account" by default.

In Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, this trust policy allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server. This allows attackers able to submit pull requests from forks to change the Pipeline behavior.

In Bitbucket Branch Source Plugin 871.v28d74e8b_4226, the "Forks in the same account" trust policy does not extend trust to Jenkinsfiles modified by users without write access to the project.

References:

https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300

Note You need to log in before you can comment on or make changes to this bug.