CVE-2022-28133

Vulnerability

Bitbucket Server Integration Plugin 2.0.0 through 3.1.0 (inclusive) does not restrict the URL schemes allowed in callback URLs when creating OAuth consumers. This allows attackers who can create Bitbucket Server consumers to inject malicious javascript: URLs, leading to a stored cross-site scripting (XSS) vulnerability. [1][2]

Exploitation

An attacker must have access to create Bitbucket Server consumers, which may be achieved via other missing permission checks (CVE-2022-28134) giving users with Overall/Read permission the ability to create consumers. The attacker then sets a callback URL with the javascript: scheme containing arbitrary JavaScript code. When a victim interacts with the crafted consumer, the malicious script executes in the browser context of the Jenkins user. [2]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim’s Jenkins session, potentially leading to disclosure of sensitive information, session hijacking, or further actions within Jenkins. The stored XSS persists until the malicious consumer is removed. [2]

Mitigation

Bitbucket Server Integration Plugin version 3.2.0, released March 29, 2022, limits allowed URL schemes to prevent creation of consumers with javascript: URLs. Users should update to 3.2.0 or later. No workarounds are documented. [2][3]