CVE-2022-20619

Name of the Vulnerable Software and Affected Versions Jenkins Bitbucket Branch Source Plugin versions prior to 746.v350d2781c184 Jenkins Bitbucket Branch Source Plugin versions prior to 725.vd9f8be0fa250 Jenkins Bitbucket Branch Source Plugin versions prior to 2.9.11.2 Jenkins Bitbucket Branch Source Plugin versions prior to 2.9.7.2 Jenkins Bitbucket Branch Source Plugin version 737.vdf9dc06105be and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. This issue arises because the plugin does not require POST requests for a specific HTTP endpoint, which can be exploited by attackers with Overall/Read access.

Recommendations For Jenkins Bitbucket Branch Source Plugin versions prior to 746.v350d2781c184, update to version 746.v350d2781c184 or later. For Jenkins Bitbucket Branch Source Plugin versions prior to 725.vd9f8be0fa250, update to version 725.vd9f8be0fa250 or later. For Jenkins Bitbucket Branch Source Plugin versions prior to 2.9.11.2, update to version 2.9.11.2 or later. For Jenkins Bitbucket Branch Source Plugin versions prior to 2.9.7.2, update to version 2.9.7.2 or later. For Jenkins Bitbucket Branch Source Plugin version 737.vdf9dc06105be and earlier, update to a version later than 737.vdf9dc06105be.