The vulnerability resides in the Jenkins Bitbucket OAuth Plugin, versions 0.17 and earlier, which permits any URL to be used as a redirect after authentication. This lack of validation creates an open redirect (CWE‑601) that attackers can exploit to lure users to malicious sites that masquerade as legitimate Jenkins web pages, facilitating credential theft or session hijacking. The impact is confined to phishing attacks rather than direct code execution, but it undermines user trust and can compromise sensitive accounts via social engineering.

The affected component is the Jenkins Bitbucket OAuth Plugin developed by the Jenkins Project. All installations of this plugin at version 0.17 or earlier are vulnerable. Users running newer releases are not affected.

The CVSS score of 4.3 reflects a moderate level of risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a web‑based login flow where an attacker constructs a crafted login URL that includes a malicious redirect target. Exploitation requires the attacker to control or influence the redirect parameter; it does not grant arbitrary code execution but can effectively redirect victims to phishing sites. While the exploitation path is straightforward for an attacker, the overall risk remains moderate because successful phishing depends on user interaction.