CVE-2022-20619: Cross-Site Request Forgery in Jenkins Bitbucket Branch Source Plugin
7.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.44461%
CWE
Published
1/13/2022
Updated
12/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source | maven | >= 726.v7e6f53de133c, < 746.v350d2781c184 | 746.v350d2781c184 |
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source | maven | >= 720.vbe985dd73d66, < 725.vd9f8be0fa250 | 725.vd9f8be0fa250 |
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source | maven | >= 2.9.8, < 2.9.11.2 | 2.9.11.2 |
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-source | maven | < 2.9.7.2 | 2.9.7.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The commit diff shows the vulnerability was fixed by adding the @RequirePOST annotation to the doFillRepositoryItems method. The test case Security2467Test.java specifically validates that GET requests to this endpoint now return HTTP_BAD_METHOD. The vulnerability description explicitly states the lack of POST request enforcement was the root cause, and this was the only method modified with CSRF protection in the patch.