Missing Authorization Affecting org.jenkins-ci.plugins:publish-to-bitbucket package, versions [0,]
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Missing Authorization vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JAVA-ORGJENKINSCIPLUGINS-13774800
- published30 Oct 2025
- disclosed29 Oct 2025
- creditDaniel Beck
Introduced: 29 Oct 2025
NewCVE-2025-64150 (opens in a new tab)How to fix?
There is no fixed version for org.jenkins-ci.plugins:publish-to-bitbucket.
Overview
org.jenkins-ci.plugins:publish-to-bitbucket is a This plugin publishes the current code to a bitbucket server by creating a new repository and/or project. Creates a Bitbucket repository (and associated project) from the current code.
Features
Creates Bitbucket repository based on the current code in the workspace Creates Bitbucket projects for the repository if needed. Assign users with read/write permission to the repository Assign group with read/write permission to the repository Potential upcoming features
Support for github Requirements
Existing Bitbucket server. Bitbucket user with permission to create the repository/project Jenkins
Jenkins version 1.642.3 or newer is required. Version 1.0 (March 27, 2017) Initial release
Affected versions of this package are vulnerable to Missing Authorization in the HTTP endpoint, which does not perform a required permission check. An attacker with Overall/Read permission can connect to an attacker-controlled HTTP URL using credentials IDs obtained through other means, potentially capturing credentials stored in the system. This endpoint also does not require POST requests, allowing exploitation by submitting crafted requests.