CVE-2025-64148 is a vulnerability identified in the Jenkins Publish to Bitbucket Plugin version 0.4 and earlier. The root cause is a missing permission check that allows any user with Overall/Read permission within Jenkins to enumerate the IDs of credentials stored in Jenkins. This enumeration does not directly expose credential secrets but reveals the identifiers of stored credentials, which can be leveraged by attackers to target specific credentials for further attacks such as phishing, social engineering, or privilege escalation. The vulnerability is classified under CWE-862 (Missing Authorization). The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low complexity, and privileges (Overall/Read) but no user interaction. The scope is unchanged, and the impact is limited to confidentiality loss without affecting integrity or availability. No known exploits have been reported, and no patches are currently available. This vulnerability highlights the importance of strict permission management in Jenkins environments, especially when integrating with external services like Bitbucket. Attackers with read access could map out credential IDs, aiding in reconnaissance and targeted attacks against CI/CD pipelines.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality of credential metadata within Jenkins environments. Organizations relying heavily on Jenkins for continuous integration and deployment, particularly those integrating with Bitbucket repositories, may have sensitive credential identifiers exposed to users with read-level access. While direct credential compromise is not possible through this vulnerability alone, the leaked information can facilitate targeted attacks, including credential harvesting or lateral movement within the network. This risk is heightened in environments where many users have Overall/Read permissions or where credential management policies are lax. The impact on operational continuity is minimal, but the potential for subsequent exploitation could lead to more severe breaches. Given the widespread use of Jenkins in European tech sectors, especially in countries with strong DevOps adoption, this vulnerability could be leveraged in multi-stage attacks against software supply chains or internal development infrastructure.

European organizations should implement the following specific mitigations: 1) Restrict Overall/Read permissions strictly to trusted users only, minimizing the number of users who can enumerate credential IDs. 2) Conduct a thorough audit of Jenkins user permissions and credential usage to identify and remove unnecessary access rights. 3) Monitor Jenkins logs for unusual enumeration patterns or repeated access attempts to credential metadata. 4) Isolate Jenkins instances and limit network exposure to reduce the attack surface. 5) Until an official patch is released, consider disabling or removing the vulnerable Publish to Bitbucket Plugin if feasible, or replace it with alternative secure integration methods. 6) Educate DevOps teams about the risks of credential enumeration and enforce strong credential management policies, including regular rotation and use of credential vaults. 7) Stay informed about updates from the Jenkins project and apply patches promptly once available.