QID 996969
Date Published: 2024-01-31
QID 996969: Java (Maven) Security Update for io.jenkins.plugins:bitbucket-push-and-pull-request (GHSA-vrpg-c7c4-8mpx)
Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload.
Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
Solution
Refer to Github security advisory GHSA-vrpg-c7c4-8mpx for updates and patch information.
Vendor References
- GHSA-vrpg-c7c4-8mpx -
github.com/advisories/GHSA-vrpg-c7c4-8mpx
CVEs related to QID 996969
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-vrpg-c7c4-8mpx | io.jenkins.plugins:bitbucket-push-and-pull-request |
|