CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-64150
https://notcve.org/view.php?id=CVE-2025-64150
29 Oct 2025 — A missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. • https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3576 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-64149
https://notcve.org/view.php?id=CVE-2025-64149
29 Oct 2025 — A cross-site request forgery (CSRF) vulnerability in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. • https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3576 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-64148
https://notcve.org/view.php?id=CVE-2025-64148
29 Oct 2025 — A missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. • https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3570 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-64147
https://notcve.org/view.php?id=CVE-2025-64147
29 Oct 2025 — Jenkins Curseforge Publisher Plugin 1.0 does not mask API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. • https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3562 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-64146
https://notcve.org/view.php?id=CVE-2025-64146
29 Oct 2025 — Jenkins Curseforge Publisher Plugin 1.0 stores API Keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3562 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-64145
https://notcve.org/view.php?id=CVE-2025-64145
29 Oct 2025 — Jenkins ByteGuard Build Actions Plugin 1.0 does not mask API tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. • https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3560 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-64144
https://notcve.org/view.php?id=CVE-2025-64144
29 Oct 2025 — Jenkins ByteGuard Build Actions Plugin 1.0 stores API tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3560 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-64143
https://notcve.org/view.php?id=CVE-2025-64143
29 Oct 2025 — Jenkins OpenShift Pipeline Plugin 1.0.57 and earlier stores authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3553 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-64142
https://notcve.org/view.php?id=CVE-2025-64142
29 Oct 2025 — A missing permission check in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. • https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3550 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-64141
https://notcve.org/view.php?id=CVE-2025-64141
29 Oct 2025 — A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials. • https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3550 • CWE-352: Cross-Site Request Forgery (CSRF) •