CVE-2025-64150 is a vulnerability identified in the Jenkins Publish to Bitbucket Plugin version 0.4 and earlier. The root cause is a missing permission check within the plugin's code that allows users with Overall/Read permission in Jenkins to perform unauthorized actions. Specifically, an attacker with these permissions can cause the plugin to connect to a URL specified by the attacker, leveraging credentials IDs that the attacker has obtained through other means. This behavior enables the attacker to exfiltrate credentials stored in Jenkins, compromising sensitive authentication data. The vulnerability does not require user interaction and can be exploited remotely (network vector) with low attack complexity. The CVSS v3.1 base score is 5.4, indicating medium severity, with partial impact on confidentiality and integrity but no impact on availability. The vulnerability is classified under CWE-862 (Missing Authorization), highlighting the failure to enforce proper permission checks. No patches or fixes have been released at the time of publication, and no known exploits have been reported in the wild. The vulnerability affects Jenkins instances that use the Publish to Bitbucket Plugin, which is commonly employed in continuous integration and deployment workflows to automate code publishing to Bitbucket repositories.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of stored credentials within Jenkins environments. Organizations relying on Jenkins for CI/CD pipelines and using the Publish to Bitbucket Plugin could have their credentials exposed, potentially leading to unauthorized access to Bitbucket repositories and other integrated systems. This could result in code tampering, intellectual property theft, or further lateral movement within the network. The impact is particularly critical for industries with stringent data protection requirements such as finance, healthcare, and critical infrastructure sectors in Europe. Additionally, compromised credentials could facilitate supply chain attacks or unauthorized code deployments, undermining software integrity and trust. The lack of a patch increases the urgency for organizations to implement compensating controls. Since exploitation requires only read-level access, insider threats or compromised low-privilege accounts could escalate the risk. The medium severity rating reflects the balance between the required privileges and the potential damage from credential exposure.

European organizations should immediately audit and restrict Jenkins user permissions, ensuring that only trusted users have Overall/Read access, especially in environments using the Publish to Bitbucket Plugin. Implement strict access controls and role-based access management to minimize the number of users with read permissions. Monitor Jenkins logs and network traffic for unusual outbound connections initiated by the plugin to unknown URLs. Disable or remove the Publish to Bitbucket Plugin if it is not essential to reduce the attack surface. Until an official patch is released, consider isolating Jenkins servers from untrusted networks and limit credential storage within Jenkins to the minimum necessary. Employ credential vaulting solutions external to Jenkins to reduce the risk of credential exposure. Regularly review and rotate credentials stored in Jenkins to limit the window of exposure. Engage in proactive vulnerability scanning and penetration testing focused on Jenkins environments to detect potential exploitation attempts. Stay updated with Jenkins security advisories for forthcoming patches or mitigations.