CVE-2025-64148: 
Java vulnerability analysis and mitigation

A missing permission check vulnerability was discovered in Jenkins Publish to Bitbucket Plugin, tracked as CVE-2025-64148. The vulnerability affects versions 0.4 and earlier of the plugin, and was disclosed on October 29, 2025. The issue impacts the Jenkins automation server's credential management system (Jenkins Project, NVD).

The vulnerability stems from a missing permission check in a method implementing form validation within the Jenkins Publish to Bitbucket Plugin. The issue has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-862 (Missing Authorization) (CISA-ADP).

The vulnerability allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. These enumerated credential IDs can potentially be used as part of a broader attack to capture the credentials when combined with other vulnerabilities (Jenkins Project).

As of the advisory's publication date, there is no fix available for this vulnerability in the Publish to Bitbucket Plugin. Organizations using affected versions (0.4 and earlier) should monitor for updates and consider implementing additional access controls to restrict Overall/Read permissions (Jenkins Project).