Xingyunyang

**Name of the Vulnerable Software and Affected Versions** Jenkins JClouds Plugin versions 2.14 and earlier **Description** A cross-site request forgery issue allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs, potentially capturing credentials stored in Jenkins. The vulnerability is due to a lack of permission checks on a form validation method, which also did not require POST requests. **Recommendations** For Jenkins JClouds Plugin versions 2.14 and earlier, update the plugin to a version that requires POST requests and Overall/Administer permission for the form validation method, thus preventing the cross-site request forgery vulnerability.