CVE-2024-39460 — Bitbucket OAuth access token exposed in the build log by Bitbucket Branch Source

Description

Bitbucket Branch Source Plugin 886.v44cf5e4ecec5 and earlier prints the Bitbucket OAuth access token as part of the Bitbucket URL in the build log in some cases. Bitbucket Branch Source Plugin 887.va_d359b_3d2d8d does not include the Bitbucket OAuth access token as part of the Bitbucket URL in the build log.

How to fix CVE-2024-39460

To remediate CVE-2024-39460, upgrade the affected package to a fixed version below.

—upgrade to 887.va or later

Is CVE-2024-39460 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 887.va

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-39460
PATCHgithub.com/jenkinsci/bitbucket-branch-source-plugin
WEBgithub.com/jenkinsci/bitbucket-branch-source-plugin/commit/ad359b3d2d8d6c114025d81abc59b3c9acb636df
WEBwww.jenkins.io/security/advisory/2024-06-26/#SECURITY-3363