Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Network vector because Jenkins contacts Bitbucket over HTTPS; AC:H for required MitM positioning; PR:N as attacker needs no credentials; C:L/I:L for token capture and potential request manipulation; no availability impact.
Primary rating from Vendor (jenkins).
CVSS VectorVendor: jenkins
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to capture the token.
AnalysisAI
Jenkins Bitbucket Push and Pull Request Plugin versions 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for all outbound Bearer token authenticated requests to configured Bitbucket Server endpoints, creating a man-in-the-middle exposure. Any attacker positioned to intercept network traffic on the path between the Jenkins controller and the Bitbucket Server can capture the Bearer token and subsequently authenticate directly to the Bitbucket Server API. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerability is triggered unconditionally whenever the Jenkins Bitbucket Push and Pull Request Plugin version 3.3.8 or earlier sends any Bearer token authenticated request to the configured Bitbucket Server endpoint - no special plugin configuration, non-default setting, or specific workflow is required; installing the plugin with a Bitbucket Server URL configured is sufficient to be exposed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N, score 4.8) is internally consistent: high attack complexity (AC:H) reflects the prerequisite of network interception positioning, while the absence of required privileges (PR:N) on the attacker side correctly captures that no Jenkins or Bitbucket credentials are needed to exploit the flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the same network segment as the Jenkins controller - or with access to a network device on the path to the Bitbucket Server - performs ARP spoofing or DNS manipulation to position themselves as a MitM. When the plugin sends an outbound HTTPS request to the Bitbucket Server endpoint with the Bearer token in the Authorization header, the attacker presents a self-signed certificate; because hostname and certificate validation are unconditionally disabled, the plugin accepts the connection without error and transmits the token in plaintext to the attacker. … |
| Remediation | Administrators should consult the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3856 to identify the patched plugin release and upgrade immediately via the Jenkins Plugin Manager (Manage Jenkins → Plugins → Available updates). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38770
GHSA-jwhr-h7pc-3974