VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 26, 2024· Updated Feb 13, 2025

CVE-2024-39460

CVE-2024-39460

Description

Jenkins Bitbucket Branch Source Plugin leaks the OAuth access token in build logs by printing it as part of the Bitbucket URL.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Bitbucket Branch Source Plugin leaks the OAuth access token in build logs by printing it as part of the Bitbucket URL.

Vulnerability

Description

CVE-2024-39460 affects Jenkins Bitbucket Branch Source Plugin version 886.v44cf5e4ecec5 and earlier. The plugin prints the Bitbucket OAuth access token as part of the Bitbucket URL in the build log under certain conditions, exposing the token to anyone with access to the log files [1][2].

Exploitation

Path

An attacker with access to Jenkins build logs—such as users with Job/Read permission or those who can view system logs—can retrieve the OAuth access token. The token is leaked when the plugin constructs a Bitbucket URL that includes the token directly, and that URL is logged during a build. No special authentication or network position is required beyond the ability to read build logs [2][3].

Impact

The exposed OAuth access token can be used to authenticate as the Jenkins integration to Bitbucket, potentially allowing unauthorized access to repositories and operations that the token permits. The severity is rated as medium due to the need for build log access, but the privileges obtained can be significant depending on the token's scope [2].

Mitigation

The vulnerability is fixed in Bitbucket Branch Source Plugin version 887.va_d359b_3d2d8d, which modifies the credential handling to avoid embedding the token in the URL logged. Users should upgrade to this version or later. No workaround is available; plugin updates are the recommended mitigation [2][3].

References
  1. [SECURITY-3363] · jenkinsci/bitbucket-branch-source-plugin@ad359b3
  2. Jenkins Security Advisory 2024-06-26
  3. security - Multiple vulnerabilities in Jenkins plugins

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:cloudbees-bitbucket-branch-sourceMaven
< 887.va887.va

Affected products

2

Patches

1
ad359b3d2d8d

[SECURITY-3363]

https://github.com/jenkinsci/bitbucket-branch-source-pluginYaroslav AfenkinJun 18, 2024via ghsa
commit
6 files changed · +65 26
  • src/main/java/com/cloudbees/jenkins/plugins/bitbucket/api/BitbucketAuthenticator.java+11 0 modified
    @@ -26,6 +26,7 @@
 
 import com.cloudbees.jenkins.plugins.bitbucket.endpoints.BitbucketCloudEndpoint;
 import com.cloudbees.plugins.credentials.common.StandardCredentials;
+import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
 import jenkins.authentication.tokens.api.AuthenticationTokenContext;
 import org.apache.http.HttpHost;
 import org.apache.http.HttpRequest;
@@ -107,6 +108,16 @@ public void configureRequest(HttpRequest request) {
         // override to configure HttpRequest
     }
 
+
+    /**
+     * Provides credentials that can be used for authenticated interactions with SCM.
+     *
+     * @return credentials to be passed to {@link org.jenkinsci.plugins.gitclient.GitClient#setCredentials(StandardUsernameCredentials)}
+     */
+    public StandardUsernameCredentials getCredentialsForScm() {
+        return null;
+    }
+
     /**
      * Add authentication token to clone link if
      * authentication method requires it
  • src/main/java/com/cloudbees/jenkins/plugins/bitbucket/api/credentials/BitbucketAccessTokenAuthenticator.java+10 0 modified
    @@ -1,7 +1,11 @@
 package com.cloudbees.jenkins.plugins.bitbucket.api.credentials;
 
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketAuthenticator;
+import com.cloudbees.plugins.credentials.CredentialsScope;
+import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
+import com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl;
 import hudson.util.Secret;
+import org.apache.commons.lang.StringUtils;
 import org.apache.http.HttpHeaders;
 import org.apache.http.HttpRequest;
 import org.jenkinsci.plugins.plaincredentials.StringCredentials;
@@ -31,4 +35,10 @@ public BitbucketAccessTokenAuthenticator(StringCredentials credentials) {
     public void configureRequest(HttpRequest request) {
         request.setHeader(HttpHeaders.AUTHORIZATION, "Bearer " + token.getPlainText());
     }
+
+    @Override
+    public StandardUsernameCredentials getCredentialsForScm() {
+        return new UsernamePasswordCredentialsImpl(
+                CredentialsScope.GLOBAL, null, null, StringUtils.EMPTY, token.getPlainText());
+    }
 }
  • src/main/java/com/cloudbees/jenkins/plugins/bitbucket/api/credentials/BitbucketOAuthAuthenticator.java+7 25 modified
    @@ -1,10 +1,11 @@
 package com.cloudbees.jenkins.plugins.bitbucket.api.credentials;
 
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketAuthenticator;
-import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketHref;
+import com.cloudbees.plugins.credentials.CredentialsScope;
+import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
 import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
-import java.net.URI;
-import java.net.URISyntaxException;
+import com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl;
+import org.apache.commons.lang.StringUtils;
 import org.apache.http.HttpRequest;
 import org.scribe.model.OAuthConfig;
 import org.scribe.model.OAuthConstants;
@@ -38,27 +39,8 @@ public void configureRequest(HttpRequest request) {
     }
 
     @Override
-    public BitbucketHref addAuthToken(BitbucketHref bitbucketHref) {
-        String link = bitbucketHref.getHref();
-        if (!link.startsWith("http")) {
-            return bitbucketHref;
-        }
-        try {
-            URI uri = new URI(link);
-            String userInfo = "x-token-auth:{" + token.getToken() + "}";
-            String newLink = new URI(
-                uri.getScheme(),
-                userInfo,
-                uri.getHost(),
-                uri.getPort(),
-                uri.getPath(),
-                uri.getQuery(),
-                uri.getFragment()
-            ).toString();
-            return new BitbucketHref(bitbucketHref.getName(), newLink);
-        } catch (URISyntaxException e) {
-            throw new RuntimeException(e);
-        }
+    public StandardUsernameCredentials getCredentialsForScm() {
+        return new UsernamePasswordCredentialsImpl(
+                CredentialsScope.GLOBAL, null, null, StringUtils.EMPTY, token.getToken());
     }
-
 }
  • src/main/java/com/cloudbees/jenkins/plugins/bitbucket/api/credentials/BitbucketUsernamePasswordAuthenticator.java+9 0 modified
    @@ -26,7 +26,10 @@
 package com.cloudbees.jenkins.plugins.bitbucket.api.credentials;
 
 import com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketAuthenticator;
+import com.cloudbees.plugins.credentials.CredentialsScope;
+import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
 import com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials;
+import com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.apache.http.HttpHost;
@@ -74,4 +77,10 @@ public void configureContext(HttpClientContext context, HttpHost host) {
         context.setCredentialsProvider(credentialsProvider);
         context.setAuthCache(authCache);
     }
+
+    @Override
+    public StandardUsernameCredentials getCredentialsForScm() {
+        return new UsernamePasswordCredentialsImpl(
+                CredentialsScope.GLOBAL, null, null, httpCredentials.getUserName(), httpCredentials.getPassword());
+    }
 }
  • src/main/java/com/cloudbees/jenkins/plugins/bitbucket/BitbucketSCMSource.java+3 1 modified
    @@ -1029,7 +1029,9 @@ public SCM build(SCMHead head, SCMRevision revision) {
         switch (type) {
             case GIT:
             default:
-                return new BitbucketGitSCMBuilder(this, head, revision, getCredentialsId())
+                BitbucketAuthenticator authenticator = authenticator();
+                return new BitbucketGitSCMBuilder(this, head, revision, null)
+                        .withExtension(authenticator == null ? null : new GitClientAuthenticatorExtension(authenticator.getCredentialsForScm()))
                         .withCloneLinks(primaryCloneLinks, mirrorCloneLinks)
                         .withTraits(traits)
                         .build();
  • src/main/java/com/cloudbees/jenkins/plugins/bitbucket/GitClientAuthenticatorExtension.java+25 0 added
    @@ -0,0 +1,25 @@
+package com.cloudbees.jenkins.plugins.bitbucket;
+
+import com.cloudbees.plugins.credentials.common.StandardUsernameCredentials;
+import hudson.plugins.git.GitException;
+import hudson.plugins.git.GitSCM;
+import hudson.plugins.git.extensions.GitSCMExtension;
+import org.jenkinsci.plugins.gitclient.GitClient;
+
+public class GitClientAuthenticatorExtension extends GitSCMExtension {
+
+    private final StandardUsernameCredentials credentials;
+
+    public GitClientAuthenticatorExtension(StandardUsernameCredentials credentials) {
+        this.credentials = credentials;
+    }
+
+    @Override
+    public GitClient decorate(GitSCM scm, GitClient git) throws GitException {
+        if (credentials != null) {
+            git.setCredentials(credentials);
+        }
+
+        return git;
+    }
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

1