Vulnerability in Jenkins Bitbucket Plugin Exposes Credentials
CVE-2023-41937

7.5HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Bitbucket Push And Pull Request Plugin
Vendor: CVE Published:; 6 September 2023

Summary

The Jenkins Bitbucket Push and Pull Request Plugin, versions 2.4.0 to 2.8.3, improperly trusts values in webhook payloads. This flaw allows attackers to send specially crafted webhook requests that can deceive the plugin into connecting to arbitrary URLs, leading to the exposure of sensitive Bitbucket credentials stored within Jenkins. This vulnerability emphasizes the need for stringent validation of incoming data and robust security measures to protect critical user information.

Affected Version(s)

Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 <= 2.8.3

References

https://www.jenkins.io/security/advisory/2023-09-06/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/09/06/9

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 6, 2023
Vulnerability Reserved
Sep 5, 2023