CVE-2025-24398

CWE-352 — Cross-Site Request Forgery (CSRF)5 documents5 sources

Severity

8.8HIGH

EPSS

0.1%

top 77.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Bitbucket Server Integration Jenkins Project Jenkins Bitbucket Server Integration Plugin

Timeline

PublishedJan 22

Description

Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Mavenio.jenkins.plugins:atlassian-bitbucket-server-integration2.1.0 — 4.1.4

▶CVEListV5jenkins_project/jenkins_bitbucket_server_integration_plugin2.1.0 — 4.1.3

▶NVDjenkins/bitbucket2.1.0 — 4.1.4

🔴Vulnerability Details

GHSA

Bitbucket Server Integration Plugin allows bypassing CSRF protection for any URL↗2025-01-22

▶

OSV

Bitbucket Server Integration Plugin allows bypassing CSRF protection for any URL↗2025-01-22

▶

CVEList

CVE-2025-24398: Jenkins Bitbucket Server Integration Plugin 2↗2025-01-22

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2025-01-22↗2025-01-22

▶