-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaJavaMiggo AIRoot Cause AnalysisThe vulnerability stems from the plugin's implementation of Jenkins' CrumbExclusion extension point for OAuth 1.0 authentication. The advisory indicates the exclusion logic was too broad in vulnerable versions (2.1.0-4.1.3). The standard Jenkins CSRF protection mechanism uses CrumbExclusion implementations to whitelist specific URLs. The vulnerable function likely used insufficiently restrictive pattern matching in its exclude() method, potentially matching any URL containing a crafted pattern rather than strictly limiting to required OAuth endpoints. The patch in 4.1.4 would have tightened the URL validation logic in this exclusion handler.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| io.jenkins.plugins:atlassian-bitbucket-server-integration | maven | >= 2.1.0, < 4.1.4 | 4.1.4 |
Ongoing coverage of React2Shell