1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-2981

[JENKINS:SECURITY-2981] CSRF vulnerability in `bitbucket-oauth`

Severity Medium
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

bitbucket-oauth 0.12 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request.

This vulnerability allows attackers to trick users into logging in to the attacker's account.

bitbucket-oauth 0.13 implements a state parameter in its OAuth flow.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/bitbucket-oauth <= 0.12
pkg:github/jenkinsci/bitbucket-oauth-plugin <= 0.12
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/bitbucket-oauth = 0.13
pkg:github/jenkinsci/bitbucket-oauth-plugin = 0.13
ID
JENKINS:SECURITY-2981
Severity
medium
Published
2023-01-24T00:00:00
(20 months ago)
Modified
2023-01-24T00:00:00
(20 months ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository bitbucket-oauth repository https://github.com/jenkinsci/bitbucket-oauth-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/bitbucket-oauth org.jenkins-ci.plugins bitbucket-oauth <= 0.12
Fixed pkg:maven/org.jenkins-ci.plugins/bitbucket-oauth org.jenkins-ci.plugins bitbucket-oauth = 0.13
Affected pkg:github/jenkinsci/bitbucket-oauth-plugin jenkinsci bitbucket-oauth-plugin <= 0.12
Fixed pkg:github/jenkinsci/bitbucket-oauth-plugin jenkinsci bitbucket-oauth-plugin = 0.13
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date