PT-2025-45742 — CSRF in Maven Org.Jenkins-Ci.Plugins:Publish-To-Bitbucket

PT-2025-45742 · Maven · Org.Jenkins-Ci.Plugins:Publish-To-Bitbucket

Published

2025-10-29

Updated

2025-10-29

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Jenkins Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

GHSA-M244-6MFF-P355

Affected Products

Org.Jenkins-Ci.Plugins:Publish-To-Bitbucket

PT-2025-45742 · Maven · Org.Jenkins-Ci.Plugins:Publish-To-Bitbucket

Weakness Enumeration

Related Identifiers

Affected Products

References · 5