CVE-2023-41937: Server-Side Request Forgery (SSRF)

September 6, 2023 (updated January 30, 2024)

Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload.

References

www.openwall.com/lists/oss-security/2023/09/06/9
github.com/advisories/GHSA-vrpg-c7c4-8mpx
nvd.nist.gov/vuln/detail/CVE-2023-41937
www.jenkins.io/security/advisory/2023-09-06/

Detect and mitigate CVE-2023-41937 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →