Vulnerability Description
Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Bitbucket Push And Pull Request | >= 2.4.0, <= 2.8.3 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2023/09/06/9Mailing ListThird Party Advisory
- https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3165Vendor Advisory
- http://www.openwall.com/lists/oss-security/2023/09/06/9Mailing ListThird Party Advisory
- https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3165Vendor Advisory
FAQ
What is CVE-2023-41937?
CVE-2023-41937 is a vulnerability with a CVSS score of 7.5 (HIGH). Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to ...
How severe is CVE-2023-41937?
CVE-2023-41937 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-41937?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Bitbucket Push And Pull Request.