CVE-2025-64149
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-29

Last updated on: 2025-11-04

Assigner: Jenkins Project

Description
A cross-site request forgery (CSRF) vulnerability in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-29
Last Modified
2025-11-04
Generated
2026-05-07
AI Q&A
2025-10-29
EPSS Evaluated
2026-05-05
NVD
CVE-2025-64149
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jenkins publish_to_bitbucket to 0.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a cross-site request forgery (CSRF) issue in the Jenkins Publish to Bitbucket Plugin version 0.4 and earlier. It allows attackers to connect to a URL specified by the attacker using credentials IDs that the attacker has obtained through other means, potentially capturing credentials stored in Jenkins.


How can this vulnerability impact me? :

An attacker exploiting this vulnerability can capture credentials stored in Jenkins by forcing the system to connect to an attacker-controlled URL using those credentials. This can lead to unauthorized access to sensitive information and systems, potentially compromising the security of your Jenkins environment and related resources.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart