CVE-2025-24398

Name of the Vulnerable Software and Affected Versions Jenkins Bitbucket Server Integration Plugin versions 2.1.0 through 4.1.3

Description The issue allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. This is due to an overly permissive implementation in the Bitbucket Server Integration Plugin, which is intended to support OAuth 1.0 authentication. The plugin implements an extension point that selectively disables cross-site request forgery (CSRF) protection for specific URLs, but in versions 2.1.0 through 4.1.3, this implementation is too permissive.

Recommendations For Jenkins Bitbucket Server Integration Plugin versions 2.1.0 through 4.1.3, update to version 4.1.4, which restricts the URLs for which CSRF protection is disabled to only those that need it. As a temporary workaround, consider restricting access to the vulnerable plugin until a patch is applied.