Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2022-20618

UNKNOWN
Published 2022-01-12T19:05:54
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2022-20618. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

A missing permission check in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Jenkins project

Jenkins Bitbucket Branch Source Plugin

Affected Versions:

unspecified 725.vd9f8be0fa250 2.9.11.2 2.9.7.2

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

Incorrect Permission Assignment for Critical Resource in Jenkins Bitbucket Branch Source Plugin

GHSA-w2mh-6xj5-f77f

Advisory Details

Jenkins Bitbucket Branch Source Plugin prior to 746.v350d2781c184, 725.vd9f8be0fa250, 2.9.11.2, and 2.9.7.2 does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An enumeration of credentials IDs in Bitbucket Branch Source Plugin 746.v350d2781c184, 725.vd9f8be0fa250, 2.9.11.2, and 2.9.7.2 requires the appropriate permissions.

Affected Packages

Maven org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source
ECOSYSTEM: ≥726.v7e6f53de133c <746.v350d2781c184
Maven org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source
ECOSYSTEM: ≥720.vbe985dd73d66 <725.vd9f8be0fa250
Maven org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source
ECOSYSTEM: ≥2.9.8 <2.9.11.2
Maven org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source
ECOSYSTEM: ≥0 <2.9.7.2

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-20618
WEB https://github.com/jenkinsci/bitbucket-branch-source-plugin/commit/467ed6c94af8735c4755d53145a54325ae82d073
WEB https://github.com/CVEProject/cvelist/blob/2d78eb36f4d084db7fb35f1535d8d84fdcb7d859/2022/20xxx/CVE-2022-20618.json
PACKAGE https://github.com/jenkinsci/bitbucket-branch-source-plugin
WEB https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2033
WEB http://www.openwall.com/lists/oss-security/2022/01/12/6

Advisory provided by GitHub Security Advisory Database. Published: January 13, 2022, Modified: May 24, 2023

References

https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2033
http://www.openwall.com/lists/oss-security/2022/01/12/6
Published: 2022-01-12T19:05:54
Last Modified: 2024-08-03T02:17:52.908Z
Copied to clipboard!