CVE-2023-41937
Summary
| CVE | CVE-2023-41937 |
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-09-06 13:15:00 UTC |
| Updated | 2023-09-11 17:53:00 UTC |
| Description | Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload. |
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Jenkins Security Advisory 2023-09-06 |
MISC |
www.jenkins.io |
|
| oss-security - Multiple vulnerabilities in Jenkins plugins |
MISC |
www.openwall.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 996969 Java (Maven) Security Update for io.jenkins.plugins:bitbucket-push-and-pull-request (GHSA-vrpg-c7c4-8mpx)