Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2023/09/06/9 | Mailing List Third Party Advisory |
https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3165 | Vendor Advisory |
Configurations
History
11 Sep 2023, 17:53
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) http://www.openwall.com/lists/oss-security/2023/09/06/9 - Mailing List, Third Party Advisory | |
References | (MISC) https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3165 - Vendor Advisory | |
CWE | CWE-918 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
First Time |
Jenkins
Jenkins bitbucket Push And Pull Request |
|
CPE | cpe:2.3:a:jenkins:bitbucket_push_and_pull_request:*:*:*:*:*:jenkins:*:* |
06 Sep 2023, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
06 Sep 2023, 13:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-09-06 13:15
Updated : 2024-02-28 20:33
NVD link : CVE-2023-41937
Mitre link : CVE-2023-41937
CVE.ORG link : CVE-2023-41937
JSON object : View
Products Affected
jenkins
- bitbucket_push_and_pull_request
CWE
CWE-918
Server-Side Request Forgery (SSRF)