Headline
GHSA-qjw6-xvrm-5f2h: Bitbucket Server Integration Plugin allows bypassing CSRF protection for any URL
An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Bitbucket Server Integration Plugin implements this extension point to support OAuth 1.0 authentication.
In Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.
Bitbucket Server Integration Plugin 4.1.4 restricts which URLs it disables cross-site request forgery (CSRF) protection for to the URLs that needs it.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-24398
Bitbucket Server Integration Plugin allows bypassing CSRF protection for any URL
High severity GitHub Reviewed Published Jan 22, 2025 to the GitHub Advisory Database • Updated Jan 22, 2025
Package
maven io.jenkins.plugins:atlassian-bitbucket-server-integration (Maven)
Affected versions
>= 2.1.0, < 4.1.4
An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Bitbucket Server Integration Plugin implements this extension point to support OAuth 1.0 authentication.
In Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.
Bitbucket Server Integration Plugin 4.1.4 restricts which URLs it disables cross-site request forgery (CSRF) protection for to the URLs that needs it.
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-24398
- https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3434
Published to the GitHub Advisory Database
Jan 22, 2025
Last updated
Jan 22, 2025