CVE-2024-28152 — Jenkins Bitbucket Branch Source Plugin has incorrect trust policy behavior for p

Description

In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.

How to fix CVE-2024-28152

To remediate CVE-2024-28152, upgrade the affected package to a fixed version below.

—upgrade to 871.v28d74e8b_4226 or later

Is CVE-2024-28152 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 871.v28d74e8b_4226

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-28152
PATCHgithub.com/jenkinsci/bitbucket-branch-source-plugin
WEBgithub.com/jenkinsci/bitbucket-branch-source-plugin/commit/28d74e8b4226bfc7524b412e34f7090784cc1a08
WEBwww.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300