CVE-2026-57289 | Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and ear… | CVSS 4.8 MEDIUM

Description

Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to capture the token.

Metadata

CVE ID: CVE-2026-57289
State: PUBLISHED
Assigner: jenkins
Reserved: 2026-06-24 08:41 UTC
Published: 2026-06-24 13:20 UTC
Last updated: 2026-06-24 14:15 UTC
Primary CWE: CWE-295
CWE-295 Improper Certificate Validation
Vendor / Product: Jenkins Project / Jenkins Bitbucket Push and Pull Request Plugin
Sources: cve.org · NVD

Severity & Metrics

4.8 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Jenkins Project	Jenkins Bitbucket Push and Pull Request Plugin	—	0 ≤ 3.3.8

Weakness (CWE)

CWE	Source	Description
CWE-295	adp	CWE-295 Improper Certificate Validation

CVSS scores (1)

Score	Severity	Version	Source	Vector
4.8	MEDIUM	3.1	adp	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References (1)

Jenkins Security Advisory 2026-06-24 https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3856