{"containers": {"cna": {"affected": [{"product": "Jenkins Bitbucket Branch Source Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "737.vdf9dc06105be", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"status": "unaffected", "version": "725.vd9f8be0fa250"}, {"status": "unaffected", "version": "2.9.11.2"}, {"status": "unaffected", "version": "2.9.7.2"}]}], "descriptions": [{"lang": "en", "value": "A missing permission check in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T14:19:07.021Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2033"}, {"name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2022-20618", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins Bitbucket Branch Source Plugin", "version": {"version_data": [{"version_affected": "<=", "version_value": "737.vdf9dc06105be"}, {"version_affected": "!", "version_value": "725.vd9f8be0fa250"}, {"version_affected": "!", "version_value": "2.9.11.2"}, {"version_affected": "!", "version_value": "2.9.7.2"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A missing permission check in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-862: Missing Authorization"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2033", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2033"}, {"name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:17:52.908Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2033"}, {"name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2022-20618", "datePublished": "2022-01-12T19:05:54.000Z", "dateReserved": "2021-10-28T00:00:00.000Z", "dateUpdated": "2024-08-03T02:17:52.908Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:bitbucket_branch_source:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "0776E22C-4717-476C-8E40-9E580AFA7403", "versionEndIncluding": "2.9.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:bitbucket_branch_source:737.vdf9dc06105be:*:*:*:*:jenkins:*:*", "matchCriteriaId": "AD2AC10D-1854-4E1D-9230-78ED6FF7D36F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A missing permission check in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins."}, {"lang": "es", "value": "Una falta de comprobaci\u00f3n de permisos en el Plugin Jenkins Bitbucket Branch Source versiones 737.vdf9dc06105be y anteriores, permite a atacantes con acceso general/libre enumerar los ID de las credenciales almacenadas en Jenkins"}], "id": "CVE-2022-20618", "lastModified": "2024-11-21T06:43:10.300", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-12T20:15:08.957", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2033"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2033"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "jenkins-2-plugins/cloudbees-bitbucket-branch-source: missing permission check allow ID enumeration", "id": "2044466", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044466"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-862->CWE-276", "details": ["A missing permission check in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins.", "A missing permissions check vulnerability was found in the Jenkins Bitbucket Branch Source plugin in several HTTP endpoints. This flaw allows attackers with Overall/Read access to enumerate IDs of credentials stored in Jenkins."], "name": "CVE-2022-20618", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2022-01-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-20618\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-20618\nhttps://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2033"], "threat_severity": "Moderate"}

{}