CVE-2023-41937

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-41937

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41937.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-41937

Aliases

GHSA-vrpg-c7c4-8mpx

Published

2023-09-06T13:15:10.593Z

Modified

2026-03-14T12:14:44.437406Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload.

References

Affected packages

Git /

Affected ranges

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "2.4.0"
            },
            {
                "last_affected": "2.8.3"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41937.json"