CVE-2025-64150: Jenkins Publish to Bitbucket Plugin is missing a permissions check

The vulnerability description for CVE-2025-64150 states that the Jenkins Publish to Bitbucket Plugin has an HTTP endpoint that lacks a permission check, allowing attackers with Overall/Read permission to capture credentials. It also mentions a CSRF vulnerability because the endpoint does not require POST requests. Since no patch is available, the analysis focused on the plugin's source code to find an endpoint matching this description. The BitbucketPublisher.java file contains a DescriptorImpl class, which is a standard way Jenkins plugins expose configuration and HTTP endpoints. Inside this class, the doTestConnection method was identified as the vulnerable function. This method is designed to be called from the Jenkins UI to test the connection to a Bitbucket server. It accepts serverUrl and credentialsId as query parameters. The code shows that it retrieves the specified credentials and makes a GET request to the provided serverUrl with those credentials in the Authorization header. Crucially, the method has no permission checks (like checkPermission) and is not annotated with @RequirePOST, which directly corresponds to the missing authorization and CSRF issues described in the vulnerability. An attacker can set the serverUrl to a server they control and trick an authenticated Jenkins user into making a request to this endpoint, thereby capturing the credentials sent by the plugin.