CVE-2024-28152

{"id": "CVE-2024-28152", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}]}, "published": "2024-03-06T17:15:10.637", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/03/06/3", "tags": ["Mailing List", "Third Party Advisory"], "source": "jenkinsci-cert@googlegroups.com"}, {"url": "https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300", "tags": ["Vendor Advisory"], "source": "jenkinsci-cert@googlegroups.com"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/06/3", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-281"}]}], "descriptions": [{"lang": "en", "value": "In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy \"Forks in the same account\" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server."}, {"lang": "es", "value": "En el complemento Jenkins Bitbucket Branch Source 866.vdea_7dcd3008e y versiones anteriores, excepto 848.850.v6a_a_2a_234a_c81, al descubrir solicitudes de extracci\u00f3n de bifurcaciones, la pol\u00edtica de confianza \"Bifurcaciones en la misma cuenta\" permite cambios en los archivos Jenkins de usuarios sin acceso de escritura al proyecto cuando se usa Bitbucket Server. ."}], "lastModified": "2025-09-18T16:27:55.487", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:bitbucket_branch_source:*:*:*:*:*:jenkins:*:*", "vulnerable": true, "matchCriteriaId": "41FA8486-E8AD-45FC-8C27-9066914AE876", "versionEndExcluding": "848.850.v6a_a_2a_234a_c81"}, {"criteria": "cpe:2.3:a:jenkins:bitbucket_branch_source:856.v04c46c86f911:*:*:*:*:jenkins:*:*", "vulnerable": true, "matchCriteriaId": "6DEC4DC0-8FB8-44BC-B354-743DF65D4717"}, {"criteria": "cpe:2.3:a:jenkins:bitbucket_branch_source:866.vdea_7dcd3008e:*:*:*:*:jenkins:*:*", "vulnerable": true, "matchCriteriaId": "86FE3E61-F431-4326-9718-113B2ED34F11"}], "operator": "OR"}]}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com"}