CVE-2023-41937: 
Java vulnerability analysis and mitigation

Jenkins Bitbucket Push and Pull Request Plugin versions 2.4.0 through 2.8.3 contains a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2023-41937. The vulnerability was discovered in September 2023 and affects the webhook endpoint functionality of the plugin. This security issue allows attackers to potentially capture Bitbucket credentials stored in Jenkins through crafted webhook payloads (Jenkins Advisory, OSS Security).

The vulnerability exists in the webhook endpoint at /bitbucket-hook/ that receives webhook notifications. When processing these notifications, the plugin trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a high impact on confidentiality (NVD).

The primary impact of this vulnerability is the potential exposure of Bitbucket credentials stored in Jenkins. Attackers can capture these credentials by sending specially crafted webhook payloads that force connections to attacker-controlled servers (GitHub Security Lab).

The vulnerability has been fixed in Bitbucket Push and Pull Request Plugin version 2.8.4. The fix ensures that the plugin only connects to the Bitbucket endpoint configured for the job when acting on a webhook notification, rather than trusting URLs from the webhook payload (Jenkins Advisory).