Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload.

Affected Packages

Maven io.jenkins.plugins:bitbucket-push-and-pull-request

Affected versions: 2.4.0 (fixed in 2.8.4)

Related CVEs

CVE-2023-41937

Key Information

GHSA ID

GHSA-vrpg-c7c4-8mpx

Published

September 6, 2023 3:30 PM

Last Modified

January 30, 2024 11:07 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

io.jenkins.plugins:bitbucket-push-and-pull-request

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.