ByteOS Network

Vulnerability Details :

CVE-2024-28152

Assigner Org ID-39769cd5-e6e2-4dc8-927e-97b3aa056f5b

Published At-06 Mar, 2024 | 17:01

Updated At-13 Feb, 2025 | 17:47

In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:jenkins

Assigner Org ID:39769cd5-e6e2-4dc8-927e-97b3aa056f5b

Published At:06 Mar, 2024 | 17:01

Updated At:13 Feb, 2025 | 17:47

▼CVE Numbering Authority (CNA)

Affected Products

Vendor

Jenkins

Product

Jenkins Bitbucket Branch Source Plugin

Default Status

affected

Versions

Unaffected

From 871.v28d74e8b_4226 before * (maven)
848.850.v6a_a_2a_234a_c81

References

Hyperlink	Resource
https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300	vendor-advisory
http://www.openwall.com/lists/oss-security/2024/03/06/3	N/A

Hyperlink: https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300

Resource:

vendor-advisory

Hyperlink: http://www.openwall.com/lists/oss-security/2024/03/06/3

Resource: N/A

▼Authorized Data Publishers (ADP)

1. CISA ADP Vulnrichment

Problem Types

Type	CWE ID	Description
CWE	CWE-281	CWE-281 Improper Preservation of Permissions

Type: CWE

CWE ID: CWE-281

Description: CWE-281 Improper Preservation of Permissions

Metrics

Version	Base score	Base severity	Vector
3.1	6.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Version: 3.1

Base score: 6.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Metrics Other Info

2. CVE Program Container

References

Hyperlink	Resource
https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300	vendor-advisory x_transferred
http://www.openwall.com/lists/oss-security/2024/03/06/3	x_transferred

Hyperlink: https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300

Resource:

vendor-advisory

x_transferred

Hyperlink: http://www.openwall.com/lists/oss-security/2024/03/06/3

Resource:

x_transferred

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:jenkinsci-cert@googlegroups.com

Published At:06 Mar, 2024 | 17:15

Updated At:18 Sep, 2025 | 16:27

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	6.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Type: Secondary

Version: 3.1

Base score: 6.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CPE Matches

Jenkins

>>bitbucket_branch_source>>Versions before 848.850.v6a_a_2a_234a_c81(exclusive)

cpe:2.3:a:jenkins:bitbucket_branch_source:*:*:*:*:*:jenkins:*:*

Jenkins

>>bitbucket_branch_source>>856.v04c46c86f911

cpe:2.3:a:jenkins:bitbucket_branch_source:856.v04c46c86f911:*:*:*:*:jenkins:*:*

Jenkins

>>bitbucket_branch_source>>866.vdea_7dcd3008e

cpe:2.3:a:jenkins:bitbucket_branch_source:866.vdea_7dcd3008e:*:*:*:*:jenkins:*:*

Weaknesses

CWE ID	Type	Source
CWE-281	Secondary	134c704f-9b21-4f2e-91b3-4a467353bcc0

CWE ID: CWE-281

Type: Secondary

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

References

Hyperlink	Source	Resource
http://www.openwall.com/lists/oss-security/2024/03/06/3	jenkinsci-cert@googlegroups.com	Mailing List Third Party Advisory
https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300	jenkinsci-cert@googlegroups.com	Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/03/06/3	af854a3a-2127-422b-91ae-364da2661108	Mailing List Third Party Advisory
https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300	af854a3a-2127-422b-91ae-364da2661108	Vendor Advisory

Hyperlink: http://www.openwall.com/lists/oss-security/2024/03/06/3

Source: jenkinsci-cert@googlegroups.com

Resource:

Mailing List

Third Party Advisory

Hyperlink: https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300

Source: jenkinsci-cert@googlegroups.com

Resource:

Vendor Advisory

Hyperlink: http://www.openwall.com/lists/oss-security/2024/03/06/3

Source: af854a3a-2127-422b-91ae-364da2661108

Resource:

Mailing List

Third Party Advisory

Hyperlink: https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300

Source: af854a3a-2127-422b-91ae-364da2661108

Resource:

Vendor Advisory

Similar CVEs

4Records found

CVE-2019-10359

Matching Score-8

Assigner-Jenkins Project

View Details

Matching Score-8

Assigner-Jenkins Project

CVSS Score-6.3||MEDIUM

EPSS-0.14% / 33.06%

7 Day CHG~0.00%

Published-31 Jul, 2019 | 12:45

Updated-04 Aug, 2024 | 22:17

A cross-site request forgery vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier in the M2ReleaseAction#doSubmit method allowed attackers to perform releases with attacker-specified options.

Vendor-Jenkins

Product-m2release Jenkins Maven Release Plugin

CWE ID-CWE-352

Cross-Site Request Forgery (CSRF)

CVE-2019-16539

Matching Score-6

Assigner-Jenkins Project

View Details

Matching Score-6

Assigner-Jenkins Project

CVSS Score-6.5||MEDIUM

EPSS-0.03% / 9.06%

7 Day CHG~0.00%

Published-21 Nov, 2019 | 14:11

Updated-05 Aug, 2024 | 01:17

A missing permission check in Jenkins Support Core Plugin 2.63 and earlier allows attackers with Overall/Read permission to delete support bundles.

Vendor-Jenkins

Product-support_core Jenkins Support Core Plugin

CWE ID-CWE-281

Improper Preservation of Permissions

CVE-2023-41939

Matching Score-6

Assigner-Jenkins Project

View Details

Matching Score-6

Assigner-Jenkins Project

CVSS Score-8.8||HIGH

EPSS-0.06% / 18.55%

7 Day CHG~0.00%

Published-06 Sep, 2023 | 12:08

Updated-26 Sep, 2024 | 21:35

Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to.

Vendor-Jenkins

Product-ssh2_easy Jenkins SSH2 Easy Plugin

CWE ID-CWE-281

Improper Preservation of Permissions

CVE-2023-28668

Matching Score-6

Assigner-Jenkins Project

View Details

Matching Score-6

Assigner-Jenkins Project

CVSS Score-9.8||CRITICAL

EPSS-0.80% / 74.33%

7 Day CHG~0.00%

Published-23 Mar, 2023 | 11:25

Updated-25 Feb, 2025 | 20:15

Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they've been disabled.

Vendor-Jenkins

Product-role-based_authorization_strategy Jenkins Role-based Authorization Strategy Plugin

CWE ID-CWE-281

Improper Preservation of Permissions

CVE-2024-28152

Credits

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Unaffected

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs