CVE-2025-24398
Published: 22 January 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-24398 affects the Jenkins Bitbucket Server Integration Plugin in versions 2.1.0 through 4.1.3 inclusive. The vulnerability enables attackers to craft URLs that bypass Cross-Site Request Forgery (CSRF) protection for any target URL within a Jenkins instance. Classified as CWE-352, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.
Unauthenticated attackers (PR:N) can exploit this by luring Jenkins users with no special privileges into interacting with malicious URLs (UI:R), such as clicking a link. Successful exploitation bypasses CSRF safeguards, allowing the attacker to perform unauthorized actions on any CSRF-protected Jenkins endpoint, potentially compromising the instance entirely given the high impact scores across all vectors.
The official Jenkins security advisory provides mitigation guidance, including patch details, and is available at https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3434.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a CSRF bypass vulnerability in the public-facing Jenkins Bitbucket Server Integration Plugin, allowing crafted malicious URLs to perform unauthorized actions on protected endpoints. This directly enables exploitation of a public-facing application (T1190) and requires user interaction via clicking a malicious link (T1204.001).