CVE-2025-64150

Vulnerability

Overview The Jenkins Publish to Bitbucket Plugin versions 0.4 and earlier contain a missing permission check in an unspecified HTTP endpoint. This flaw allows an attacker with only Overall/Read permission (a low-privilege role) to trigger a connection to an attacker-specified URL, using credential IDs obtained through other means (e.g., credential ID enumeration or plugin vulnerabilities). The root cause is the lack of a permission check before executing the operation, as noted in the Jenkins security advisory [1].

Exploitation

Prerequisites Exploitation requires the attacker to have Overall/Read permission on the Jenkins instance and to know valid credential IDs stored in Jenkins (which could be harvested via other flaws or misconfigurations). By supplying these credential IDs along with a controlled URL, the plugin will attempt to connect to that URL using the corresponding stored credentials, effectively leaking them to the attacker [2]. No additional authentication or network position is needed beyond access to the Jenkins web UI.

Impact

A successful attack captures credentials stored in Jenkins, which may include passwords, API tokens, SSH keys, or cloud provider secrets. This can lead to lateral movement, privilege escalation, or compromise of external systems accessible with those credentials. The vulnerability is classified as a missing permission check, with no CVSS vector officially assigned as of the advisory date [3].

Mitigation

Status As of October 2025, the Publish to Bitbucket Plugin is listed as an unresolved security issue in the Jenkins advisory [2]. No patched version has been released, and the plugin's GitHub repository does not indicate an update [4]. Administrators are advised to restrict Overall/Read permissions where possible, remove the plugin if not in use, or monitor for an official fix.