High severityNVD Advisory· Published Sep 6, 2023· Updated Sep 26, 2024

CVE-2023-41937

Description

Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
io.jenkins.plugins:bitbucket-push-and-pull-requestMaven	>= 2.4.0, < 2.8.4	2.8.4

Affected products

ghsa-coords
pkg:maven/io.jenkins.plugins/bitbucket-push-and-pull-request
Range: >= 2.4.0, < 2.8.4
Jenkins Project/Bitbucket Push and Pull Request Plugincpe-rescue
Range: 2.4.0

Patches

Vulnerability mechanics

References

github.com/advisories/GHSA-vrpg-c7c4-8mpxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-41937ghsaADVISORY
www.jenkins.io/security/advisory/2023-09-06/ghsavendor-advisoryWEB
www.openwall.com/lists/oss-security/2023/09/06/9ghsaWEB

News mentions

Jenkins Security Advisory 2023-09-06
Jenkins Security Advisories · Sep 6, 2023

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000