CVE-2025-64149: Jenkins Publish to Bitbucket Plugin vulnerable to CSRF and missing permissions check

The vulnerability description for CVE-2025-64149 in the Jenkins Publish to Bitbucket Plugin points to a missing permission check and a CSRF vulnerability in an HTTP endpoint, allowing credential theft. Since no patch is available, the analysis focused on the source code of the latest vulnerable version, 0.4. The file src/main/java/org/jenkinsci/plugins/publishtobitbucket/BitbucketPublisher.java contains a nested class DescriptorImpl, which is standard for Jenkins plugins to handle configuration. Inside this class, the method doTestConnection is exposed as an HTTP endpoint for UI validation. This method takes serverUrl and credentialsId as parameters from the user. The code shows that it retrieves the specified credentials and makes an HTTP GET request to the provided serverUrl with these credentials. There are no permission checks within the method, which aligns with the advisory's claim that users with only Overall/Read permission can exploit it. An attacker can provide their own server URL to capture the credentials sent by Jenkins. The use of a GET request for an action that has side effects (making a web request with credentials) also confirms the CSRF vulnerability mentioned in the advisory. Therefore, org.jenkinsci.plugins.publishtobitbucket.BitbucketPublisher$DescriptorImpl.doTestConnection is identified as the vulnerable function.