CVE-2018-1000188

Name of the Vulnerable Software and Affected Versions Jenkins CAS Plugin versions 1.4.1 and older

Description A server-side request forgery issue exists in the CasSecurityRealm.java component, allowing attackers with Overall/Read access to cause the server to send a GET request to a specified URL. This issue is also accompanied by a CSRF vulnerability due to inadequate form validation, which did not initially require POST requests.

Recommendations For Jenkins CAS Plugin versions 1.4.1 and older, update to version 1.4.2 or later, which requires POST requests for form validation and the Overall/Administer permission, mitigating the issue.