CVE-2025-64148
📋 TL;DR
The Jenkins Publish to Bitbucket Plugin before version 0.5 has a missing permission check that allows authenticated attackers with only Overall/Read permission to enumerate credential IDs stored in Jenkins. This affects Jenkins instances using the vulnerable plugin version. Attackers can discover credential identifiers but cannot directly access credential contents.
💻 Affected Systems
- Jenkins Publish to Bitbucket Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers map all credential IDs, enabling targeted attacks on specific credentials through other vulnerabilities or social engineering, potentially leading to credential theft and lateral movement.
Likely Case
Attackers gather intelligence about credential types and IDs, facilitating reconnaissance for credential misuse or brute-force attacks on other systems.
If Mitigated
With proper access controls and monitoring, impact is limited to information disclosure without direct credential access.
🎯 Exploit Status
Exploitation requires authenticated access with Overall/Read permission; simple API calls can enumerate credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.5
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3570
Restart Required: No
Instructions:
1. Open Jenkins web interface. 2. Navigate to Manage Jenkins > Manage Plugins. 3. Go to Available tab. 4. Search for 'Publish to Bitbucket Plugin'. 5. Install version 0.5 or later. 6. No restart required.
🔧 Temporary Workarounds
Restrict Overall/Read Permissions
allLimit Overall/Read permission to trusted users only to prevent credential ID enumeration.
Remove Vulnerable Plugin
allUninstall the Publish to Bitbucket Plugin if not needed.
Manage Jenkins > Manage Plugins > Installed tab > Uncheck Publish to Bitbucket Plugin > Apply
🧯 If You Can't Patch
- Review and restrict Overall/Read permissions to minimal necessary users.
- Monitor for unusual credential enumeration attempts in Jenkins logs.
🔍 How to Verify
Check if Vulnerable:
Check plugin version in Jenkins: Manage Jenkins > Manage Plugins > Installed tab, look for 'Publish to Bitbucket Plugin' version.Check Version:
No CLI command; check via Jenkins web UI as above.Verify Fix Applied:
Verify plugin version is 0.5 or later in Manage Plugins > Installed tab.📡 Detection & Monitoring
Log Indicators:
- Unusual API requests to credential-related endpoints from users with only Overall/Read permission.
Network Indicators:
- Multiple GET requests to /credentials/store/ API paths from single user in short time.
SIEM Query:
source="jenkins.log" AND (uri_path="/credentials/store/" OR message="credential") AND user_permission="Overall/Read"