Jenkins Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix.
| Score | Percentile |
|---|---|
| 0.03% | 10.19% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 5.4 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-wpr5-rc2j-99p2 ↗ |
| CVE | CVE-2025-64150 ↗ |
| CWE id | Name |
|---|---|
| CWE-862 | Missing Authorization |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| maven | org.jenkins-ci.plugins:publish-to-bitbucket | <= 0.4 | — | — |