Analysis Summary

CVE-2024-39460 CVSS:4.3

Jenkins Bitbucket Branch Source Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by the storage of Bitbucket OAuth access token as part of the Bitbucket URL in the build log. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain token information, and use this information to launch further attacks against the affected system.

CVE-2024-39459 CVSS:4.3

Jenkins Plain Credentials Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by the storage of credentials unencrypted on the Jenkins controller file system. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain credentials information, and use this information to launch further attacks against the affected system.

CVE-2024-39458 CVSS:3.1

Jenkins Structs Plugin could allow a remote attacker to obtain sensitive information, caused by the storage of secret diagnostic information in log. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

Impact

• Information Disclosure

Indicators of Compromise

CVE

• CVE-2024-39460
• CVE-2024-39459
• CVE-2024-39458

Affected Vendors

Remediation

Refer to Jenkins Security Advisory for patch, upgrade or suggested workaround information.

CVE-2024-39460

CVE-2024-39459

CVE-2024-39458