CVE-2026-57289

MEDIUM

Jenkins Bitbucket Push And Pull Request Plugin < 3.3.8 - Improper Certificate Validation

Title source: rule
STIX 2.1

Description

Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to capture the token.

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
Jenkins Security Advisory 2026-06-24
https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3856

Scores

CVSS v3 4.8
EPSS 0.0011
EPSS Percentile 1.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-295
Status published
Products (2)
jenkins/bitbucket_push_and_pull_request < 3.3.9
Jenkins Project/Jenkins Bitbucket Push and Pull Request Plugin < 3.3.8
Published Jun 24, 2026
Tracked Since Jun 24, 2026