GHSA-45v7-65q8-x294

Suggest an improvement
Source
https://github.com/advisories/GHSA-45v7-65q8-x294
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-45v7-65q8-x294/GHSA-45v7-65q8-x294.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-45v7-65q8-x294
Aliases
Published
2022-03-30T00:00:26Z
Modified
2023-11-01T04:58:33.894823Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Stored XSS vulnerability in Jenkins Bitbucket Server Integration Plugin
Details

Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create BitBucket Server consumers.

Database specific
{
    "nvd_published_at": "2022-03-29T13:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-29T21:49:49Z"
}
References

Affected packages

Maven / io.jenkins.plugins:atlassian-bitbucket-server-integration

Package

Name
io.jenkins.plugins:atlassian-bitbucket-server-integration
View open source insights on deps.dev
Purl
pkg:maven/io.jenkins.plugins/atlassian-bitbucket-server-integration

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
3.2.0

Affected versions

2.*

2.0.0
2.0.1
2.1.0
2.1.1
2.1.2
2.1.3

3.*

3.0.0
3.0.1
3.0.2
3.1.0