{
  "threat_severity" : "Moderate",
  "public_date" : "2022-01-12T00:00:00Z",
  "bugzilla" : {
    "description" : "jenkins-2-plugins/cloudbees-bitbucket-branch-source: no POST request is required for an http endpoint which could allow capturing credentials stored in Jenkins",
    "id" : "2044478",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2044478"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-352",
  "details" : [ "A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.", "A Cross-site request forgery (CSRF) vulnerability was found in the Jenkins Bitbucket Branch Source plugin. In the HTTP endpoint, the POST requests are not required. This flaw allows an attacker with Overall/Read access to connect to an attacker-specified URL (using attacker-specified credentials IDs), capturing credentials stored in Jenkins." ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Will not fix",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-20619\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-20619\nhttps://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2467" ],
  "name" : "CVE-2022-20619",
  "csaw" : false
}