CVE-2025-64150: 
Java Análise e mitigação de vulnerabilidades

CVE-2025-64150 is a medium severity vulnerability affecting the Jenkins Publish to Bitbucket Plugin versions 0.4 and earlier, discovered and disclosed on October 29, 2025. The vulnerability stems from a missing permission check in an HTTP endpoint that affects the plugin's security controls (Jenkins Project, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. The issue specifically relates to a missing permission check in an HTTP endpoint within the plugin's BitbucketPublisher.java file, in the DescriptorImpl class's doTestConnection method. This method accepts serverUrl and credentialsId as parameters but lacks proper authorization controls (Miggo).

The vulnerability allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials IDs that were obtained through another method. This can lead to the capture of credentials stored in Jenkins, potentially compromising sensitive authentication information (Jenkins Project).

As of the advisory's publication date, no official fix is available for this vulnerability. Organizations using the affected plugin versions should consider implementing additional access controls and monitoring mechanisms to restrict access to the vulnerable endpoint (Jenkins Project).