Jenkins Bitbucket Push And Pull Request Plugin
Monthly
Jenkins Bitbucket Push and Pull Request Plugin versions 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for all outbound Bearer token authenticated requests to configured Bitbucket Server endpoints, creating a man-in-the-middle exposure. Any attacker positioned to intercept network traffic on the path between the Jenkins controller and the Bitbucket Server can capture the Bearer token and subsequently authenticate directly to the Bitbucket Server API. No public exploit is identified at time of analysis, and SSVC rates exploitation as none with partial technical impact; however, the token capture risk is non-trivial for deployments routing Jenkins traffic over untrusted or shared network segments.
Jenkins Bitbucket Push and Pull Request Plugin versions 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for all outbound Bearer token authenticated requests to configured Bitbucket Server endpoints, creating a man-in-the-middle exposure. Any attacker positioned to intercept network traffic on the path between the Jenkins controller and the Bitbucket Server can capture the Bearer token and subsequently authenticate directly to the Bitbucket Server API. No public exploit is identified at time of analysis, and SSVC rates exploitation as none with partial technical impact; however, the token capture risk is non-trivial for deployments routing Jenkins traffic over untrusted or shared network segments.