CVE-2025-64148

Vulnerability

The Jenkins Publish to Bitbucket Plugin versions 0.4 and earlier contain a missing permission check vulnerability. This flaw allows an attacker with only Overall/Read permission to enumerate credentials IDs stored in Jenkins. The plugin fails to verify that the user has the necessary permissions (such as Credentials/View) before exposing credential identifiers.

Exploitation

An attacker who has been granted Overall/Read permission (a relatively low privilege level) can exploit this by sending crafted requests to the plugin's endpoints. No additional authentication or special network position is required beyond having a Jenkins account with that basic permission. The attack surface is the Jenkins web interface or API endpoints exposed by the plugin.

Impact

Successful exploitation enables the attacker to enumerate credential IDs, which are unique identifiers for stored credentials. While this does not directly reveal the credential secrets (passwords, tokens, etc.), it provides information that can be used in further attacks, such as targeting specific credentials or mapping the credential store. This information disclosure could aid in more sophisticated attacks against the Jenkins instance.

Mitigation

As of the advisory date (2025-10-29), no fix has been released for the Publish to Bitbucket Plugin. The plugin is listed among those with unresolved security issues in the Jenkins Security Advisory [1][2]. Users are advised to restrict Overall/Read permission to trusted users only, or to disable the plugin if not required. The plugin's source repository [4] may be monitored for future updates.