CVE-2024-39460: Bitbucket OAuth access token exposed in the build log by Bitbucket Branch Source Plugin

June 26, 2024

Bitbucket Branch Source Plugin 886.v44cf5e4ecec5 and earlier prints the Bitbucket OAuth access token as part of the Bitbucket URL in the build log in some cases.

Bitbucket Branch Source Plugin 887.va_d359b_3d2d8d does not include the Bitbucket OAuth access token as part of the Bitbucket URL in the build log.

References

github.com/advisories/GHSA-x8mf-jcmf-r79f
github.com/jenkinsci/bitbucket-branch-source-plugin
github.com/jenkinsci/bitbucket-branch-source-plugin/commit/ad359b3d2d8d6c114025d81abc59b3c9acb636df
nvd.nist.gov/vuln/detail/CVE-2024-39460
www.jenkins.io/security/advisory/2024-06-26/

Detect and mitigate CVE-2024-39460 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →