CVE-2022-20618

Name of the Vulnerable Software and Affected Versions Jenkins Bitbucket Branch Source Plugin versions 737.vdf9dc06105be and earlier Jenkins Bitbucket Branch Source Plugin versions prior to 746.v350d2781c184 Jenkins Bitbucket Branch Source Plugin versions prior to 725.vd9f8be0fa250 Jenkins Bitbucket Branch Source Plugin version 2.9.11.2 Jenkins Bitbucket Branch Source Plugin version 2.9.7.2

Description A missing permission check in the Jenkins Bitbucket Branch Source Plugin allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. This can be used as part of an attack to capture the credentials using another vulnerability. The issue is related to several HTTP endpoints that do not perform permission checks.

Recommendations For Jenkins Bitbucket Branch Source Plugin version 737.vdf9dc06105be and earlier, update to a version later than 746.v350d2781c184. For Jenkins Bitbucket Branch Source Plugin version 2.9.11.2, update to a version later than 2.9.11.2. For Jenkins Bitbucket Branch Source Plugin version 2.9.7.2, update to a version later than 2.9.7.2. As a temporary workaround, consider restricting access to the HTTP endpoints that do not perform permission checks until a patch is available. Restrict access to the credentials stored in Jenkins to minimize the risk of exploitation.