CVE-2022-28134

Vulnerability

The Bitbucket Server Integration Plugin versions 3.1.0 and earlier do not perform permission checks in several HTTP endpoints [1][2]. This allows any attacker with Overall/Read permission to interact with BitBucket Server consumer management endpoints [2]. The plugin is used to integrate Jenkins with Atlassian Bitbucket Server [1].

Exploitation

An attacker needs only Overall/Read permission, which is the default base permission in Jenkins [2]. No further authentication or user interaction is required. The attacker can send crafted HTTP requests to the endpoints to create, view, or delete BitBucket Server consumers [2][4].

Impact

A successful attacker can create, view, or delete BitBucket Server consumers [2][4]. This may lead to unauthorized changes in the integration configuration, potentially redirecting webhooks or accessing build data. The impact is considered Medium severity [2].

Mitigation

Bitbucket Server Integration Plugin version 3.2.0 fixes the issue by requiring Overall/System Read permission to view consumers and Overall/Administer permission to modify them [2]. The update was released on March 29, 2022 [3]. Users should upgrade to version 3.2.0 or later.