CVE-2018-1000606

Name of the Vulnerable Software and Affected Versions Jenkins URLTrigger Plugin versions 0.41 and earlier

Description A server-side request forgery issue exists that allows attackers with Overall/Read access to cause the server to send a GET request to a specified URL. This is due to a vulnerability in the URLTrigger.java file. The issue is resolved in version 0.43, where the form validation method no longer connects to a user-provided URL.

Recommendations For Jenkins URLTrigger Plugin versions 0.41 and earlier, update to version 0.43 or later to resolve the issue. As a temporary workaround, consider restricting access to the URLTrigger.java file or limiting the Overall/Read access to minimize the risk of exploitation.