CVE-2023-41937

Name of the Vulnerable Software and Affected Versions Jenkins Bitbucket Push and Pull Request Plugin versions 2.4.0 through 2.8.3

Description The issue allows attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload. This is possible because the plugin trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs.

Recommendations For Jenkins Bitbucket Push and Pull Request Plugin versions 2.4.0 through 2.8.3, update to a version that fixes the issue, as the current versions trust values provided in the webhook payload, allowing potential exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.