{"id":"CVE-2024-28152","details":"In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy \"Forks in the same account\" allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server.","aliases":["GHSA-m4rm-x2rr-357w"],"modified":"2026-04-12T10:25:01.972133Z","published":"2024-03-06T17:15:10.637Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2024/03/06/3"},{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3300"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/bitbucket-branch-source-plugin","events":[{"introduced":"0"},{"fixed":"6aa2a234ac81b6f4c6ca9ae6e465e4ff35dde071"},{"introduced":"0"},{"last_affected":"04c46c86f911259d05c7055221919d9d59596086"},{"introduced":"0"},{"last_affected":"dea7dcd3008e4fa2e524c06b228a7cf9c8e3907f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"848.850.v6a_a_2a_234a_c81"},{"introduced":"0"},{"last_affected":"856.v04c46c86f911"},{"introduced":"0"},{"last_affected":"866.vdea_7dcd3008e"}]}}],"versions":["723.vbabdf19eb4c7","726.vb0c1ea6c9336","731.v1f980b7eba32","734.v2f848c5e6ea2","737.vdf9dc06105be","746.v350d2781c184","751.vda_24678a_f781","756.v081ee2205040","757.vddedc5f2589a_","762.v969cfe087fc0","765.v5a_2d6a_23c01d","773.v4b_9b_005b_562b_","784.v7fcdc7c670f6","785.ve724eb_44e286","791.vb_eea_a_476405b","796.v6cb_1559e1673","800.va_b_b_9a_a_5035c1","803.vd9c5e84c41fa_","804.v8b_0642650b_d2","805.v7f97d29dc0f5","809.vc1d904b_30426","820.v30b_e8c1e36f3","825.va_6a_dc46a_f97d","832.v43175a_425ea_6","843.vd09104df7988","845.v27a_d5823911b_","848.v42c6a_317eda_e","856.v04c46c86f911","866.vdea_7dcd3008e","cloudbees-bitbucket-branch-source-2.0.2","cloudbees-bitbucket-branch-source-2.1.0","cloudbees-bitbucket-branch-source-2.1.1","cloudbees-bitbucket-branch-source-2.1.2","cloudbees-bitbucket-branch-source-2.2.0","cloudbees-bitbucket-branch-source-2.2.1","cloudbees-bitbucket-branch-source-2.2.10","cloudbees-bitbucket-branch-source-2.2.11","cloudbees-bitbucket-branch-source-2.2.12","cloudbees-bitbucket-branch-source-2.2.13","cloudbees-bitbucket-branch-source-2.2.14","cloudbees-bitbucket-branch-source-2.2.15","cloudbees-bitbucket-branch-source-2.2.16","cloudbees-bitbucket-branch-source-2.2.2","cloudbees-bitbucket-branch-source-2.2.3","cloudbees-bitbucket-branch-source-2.2.4","cloudbees-bitbucket-branch-source-2.2.5","cloudbees-bitbucket-branch-source-2.2.6","cloudbees-bitbucket-branch-source-2.2.7","cloudbees-bitbucket-branch-source-2.2.8","cloudbees-bitbucket-branch-source-2.2.9","cloudbees-bitbucket-branch-source-2.3.0","cloudbees-bitbucket-branch-source-2.4.0","cloudbees-bitbucket-branch-source-2.4.1","cloudbees-bitbucket-branch-source-2.4.2","cloudbees-bitbucket-branch-source-2.4.3","cloudbees-bitbucket-branch-source-2.4.4","cloudbees-bitbucket-branch-source-2.4.5","cloudbees-bitbucket-branch-source-2.4.6","cloudbees-bitbucket-branch-source-2.5.0","cloudbees-bitbucket-branch-source-2.6.0","cloudbees-bitbucket-branch-source-2.7.0","cloudbees-bitbucket-branch-source-2.8.0","cloudbees-bitbucket-branch-source-2.9.0","cloudbees-bitbucket-branch-source-2.9.1","cloudbees-bitbucket-branch-source-2.9.10","cloudbees-bitbucket-branch-source-2.9.11","cloudbees-bitbucket-branch-source-2.9.12","cloudbees-bitbucket-branch-source-2.9.2","cloudbees-bitbucket-branch-source-2.9.3","cloudbees-bitbucket-branch-source-2.9.4","cloudbees-bitbucket-branch-source-2.9.5","cloudbees-bitbucket-branch-source-2.9.6","cloudbees-bitbucket-branch-source-2.9.7","cloudbees-bitbucket-branch-source-2.9.8","cloudbees-bitbucket-branch-source-2.9.9"],"database_specific":{"vanir_signatures_modified":"2026-04-12T10:25:01Z","vanir_signatures":[{"id":"CVE-2024-28152-cc10ffda","target":{"file":"src/main/java/com/cloudbees/jenkins/plugins/bitbucket/ForkPullRequestDiscoveryTrait.java","function":"checkTrusted"},"source":"https://github.com/jenkinsci/bitbucket-branch-source-plugin/commit/6aa2a234ac81b6f4c6ca9ae6e465e4ff35dde071","deprecated":false,"digest":{"length":264,"function_hash":"66523165340550917703522118877406842793"},"signature_version":"v1","signature_type":"Function"},{"id":"CVE-2024-28152-f7826a9c","target":{"file":"src/main/java/com/cloudbees/jenkins/plugins/bitbucket/ForkPullRequestDiscoveryTrait.java"},"source":"https://github.com/jenkinsci/bitbucket-branch-source-plugin/commit/6aa2a234ac81b6f4c6ca9ae6e465e4ff35dde071","deprecated":false,"digest":{"line_hashes":["30890580078752889672481009885636430360","229402029620681632373804298718475472446","256905793418602869343659903632231533641","212546324705304523228493246612319086967"],"threshold":0.9},"signature_version":"v1","signature_type":"Line"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-28152.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"}]}