Vulnerability Database

296,853

Total vulnerabilities in the database

CVE-2025-64148

Jenkins Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

Published: Oct 29, 2025
Updated: Oct 30, 2025
CVE: CVE-2025-64148
GHSA: GHSA-v549-7pm5-f8qr
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-862

Affected Software
References

Software	From	Fixed in
org.jenkins-ci.plugins / publish-to-bitbucket	-	0.4.x

https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3570

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo