Jenkins · Jenkins Bitbucket Push/Pull Request Plugin · CVE-2023-41937
**Name of the Vulnerable Software and Affected Versions**
Jenkins Bitbucket Push and Pull Request Plugin versions 2.4.0 through 2.8.3
**Description**
The issue allows attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload. This is possible because the plugin trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs.
**Recommendations**
For Jenkins Bitbucket Push and Pull Request Plugin versions 2.4.0 through 2.8.3, update to a version that fixes the issue, as the current versions trust values provided in the webhook payload, allowing potential exploitation.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.