Miggo Logo

CVE-2022-28134: Missing permission checks in Jekins Bitbucket Server Integration Plugin

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.7476%
Published
3/30/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.jenkins.plugins:atlassian-bitbucket-server-integrationmaven< 3.2.03.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability describes missing authorization checks in HTTP endpoints for consumer management. Based on Jenkins plugin patterns:

  1. Webhook creation endpoints typically handle POST requests and would require admin privileges
  2. Consumer deletion operations would map to doDelete* methods
  3. List operations would correspond to GET handlers While exact method names aren't shown in advisories, the standard Jenkins controller naming conventions and endpoint security patterns strongly suggest these functions would be responsible for the vulnerable operations described.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *it*u*k*t S*rv*r Int**r*tion Plu*in *.*.* *n* **rli*r *o*s not p*r*orm p*rmission ****ks in s*v*r*l *TTP *n*points, *llowin* *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *r**t*, vi*w, *n* **l*t* *it*u*k*t S*rv*r *onsum*rs.

Reasoning

T** vuln*r**ility **s*ri**s missin* *ut*oriz*tion ****ks in *TTP *n*points *or *onsum*r m*n***m*nt. **s** on J*nkins plu*in p*tt*rns: *. W***ook *r**tion *n*points typi**lly **n*l* POST r*qu*sts *n* woul* r*quir* **min privil***s *. *onsum*r **l*tion