CVE-2022-28134: Missing permission checks in Jekins Bitbucket Server Integration Plugin
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.7476%
CWE
Published
3/30/2022
Updated
2/1/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
io.jenkins.plugins:atlassian-bitbucket-server-integration | maven | < 3.2.0 | 3.2.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability describes missing authorization checks in HTTP endpoints for consumer management. Based on Jenkins plugin patterns:
- Webhook creation endpoints typically handle POST requests and would require admin privileges
- Consumer deletion operations would map to doDelete* methods
- List operations would correspond to GET handlers While exact method names aren't shown in advisories, the standard Jenkins controller naming conventions and endpoint security patterns strongly suggest these functions would be responsible for the vulnerable operations described.