CVE-2023-41937 — SSRF vulnerability in Jenkins Bitbucket Push and Pull Request Plugin allows capt

Description

Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload.

How to fix CVE-2023-41937

To remediate CVE-2023-41937, upgrade the affected package to a fixed version below.

—upgrade to 2.8.4 or later

Is CVE-2023-41937 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.4.0, < 2.8.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-41937
WEBwww.jenkins.io/security/advisory/2023-09-06/#SECURITY-3165
WEBwww.openwall.com/lists/oss-security/2023/09/06/9