CVE-2023-41937

7.5HIGH

Key Information

Vendor: Jenkins
Status: Jenkins Bitbucket Push And Pull Request Plugin
Vendor: CVE Published:; 6 September 2023

Summary

Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload.

Affected Version(s)

Jenkins Bitbucket Push and Pull Request Plugin <= 2.8.3

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Sep 6, 2023
Vulnerability Reserved.
Sep 5, 2023

Collectors

NVD DatabaseMitre Database