Alvaro Muã±Oz

**Name of the Vulnerable Software and Affected Versions** Jenkins Bitbucket Push and Pull Request Plugin versions 2.4.0 through 2.8.3 **Description** The issue allows attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload. This is possible because the plugin trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs. **Recommendations** For Jenkins Bitbucket Push and Pull Request Plugin versions 2.4.0 through 2.8.3, update to a version that fixes the issue, as the current versions trust values provided in the webhook payload, allowing potential exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.