The Jenkins Bitbucket Push and Pull Request Plugin, versions 3.3.8 and earlier, unconditionally disables SSL/TLS certificate and hostname verification for requests that use a Bearer token to authenticate with a Bitbucket Server. This flaw allows an attacker who can position themselves on the network path between Jenkins and the Bitbucket endpoint to perform a man‑in‑the‑middle and capture the token. The stolen token can then be used to access Bitbucket repositories or services with the attacker's permissions, resulting in direct authentication credential compromise. The weakness arises from ignoring certificate chain validation (CWE‑295) and exposing the bearer token in transit (CWE‑310).

The vulnerability affects any Jenkins instance that has the Bitbucket Push and Pull Request Plugin 3.3.8 or older installed. Users of the Jenkins Project’s Bitbucket plugin should verify their plugin version; only the 3.3.8 release series and earlier releases are impacted.

An attacker who can sniff or modify traffic between Jenkins and the Bitbucket Server can exploit the lack of TLS verification and intercept bearer tokens. The EPSS score is not available, but the CVSS score of 4.8 indicates medium severity. The vulnerability is not listed in the CISA KEV catalog. Given that the attack requires a network-level position and does not need privileged access to the Jenkins or Bitbucket servers, the overall risk is considered medium but with a potentially high impact if tokens are captured.