CVE-2019-1003025

Name of the Vulnerable Software and Affected Versions: Jenkins Cloud Foundry Plugin versions 2.3.1 and earlier

Description: A sensitive information exposure issue exists, allowing attackers with Overall/Read access to connect to a specified URL using attacker-specified credentials IDs, potentially capturing stored credentials in Jenkins. The issue stems from a lack of permission checks on a form validation method, which also led to a cross-site request forgery vulnerability due to not requiring POST requests.

Recommendations: For Jenkins Cloud Foundry Plugin versions 2.3.1 and earlier, update the plugin to enforce permission checks and require POST requests for the form validation method, ensuring Overall/Administer or Item/Configure permissions are in place. As a temporary workaround, consider restricting access to the AbstractCloudFoundryPushDescriptor.java component until a patch is available.