7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-20619

GHSA ID

GHSA-w4jv-6rg4-pr4m

EPSS Score

0.44461%

CWE

CWE-352

Published

1/13/2022

Updated

12/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-20619

CVE-2022-20619: Cross-Site Request Forgery in Jenkins Bitbucket Branch Source Plugin

Jenkins Bitbucket Branch Source Plugin prior to 746.v350d2781c184, 725.vd9f8be0fa250, 2.9.11.2, and 2.9.7.2 does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Bitbucket Branch Source Plugin 746.v350d2781c184, 725.vd9f8be0fa250, 2.9.11.2, and 2.9.7.2 requires POST requests for the affected HTTP endpoint.

(GitHub Advisory)

7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-20619

GHSA ID

GHSA-w4jv-6rg4-pr4m

EPSS Score

0.44461%

CWE

CWE-352

Published

1/13/2022

Updated

12/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source	maven	>= 726.v7e6f53de133c, < 746.v350d2781c184	746.v350d2781c184
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source	maven	>= 720.vbe985dd73d66, < 725.vd9f8be0fa250	725.vd9f8be0fa250
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source	maven	>= 2.9.8, < 2.9.11.2	2.9.11.2
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source	maven	< 2.9.7.2	2.9.7.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows the vulnerability was fixed by adding the @RequirePOST annotation to the doFillRepositoryItems method. The test case Security2467Test.java specifically validates that GET requests to this endpoint now return HTTP_BAD_METHOD. The vulnerability description explicitly states the lack of POST request enforcement was the root cause, and this was the only method modified with CSRF protection in the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *it*u*k*t *r*n** Sour** Plu*in prior to ***.v************, ***.v************, *.*.**.*, *n* *.*.*.* *o*s not r*quir* POST r*qu*sts *or *n *TTP *n*point, r*sultin* in * *ross-sit* r*qu*st *or**ry (*SR*) vuln*r**ility. T*is *llows *tt**k*rs wi

Reasoning

T** *ommit *i** s*ows t** vuln*r**ility w*s *ix** *y ***in* t** @R*quir*POST *nnot*tion to t** *o*illR*positoryIt*ms m*t*o*. T** t*st **s* S**urity****T*st.j*v* sp**i*i**lly v*li**t*s t**t **T r*qu*sts to t*is *n*point now r*turn *TTP_***_M*T*O*. T**

7.1

Basic Information

Concerned about an active attack path?

CVE-2022-20619: Cross-Site Request Forgery in Jenkins Bitbucket Branch Source Plugin

7.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI