CVE-2019-1003028

Name of the Vulnerable Software and Affected Versions: Jenkins JMS Messaging Plugin versions 1.1.1 and earlier

Description: A server-side request forgery issue exists that allows attackers with Overall/Read permission to have Jenkins connect to a JMS endpoint. This is due to vulnerabilities in the SSLCertificateAuthenticationMethod.java and UsernameAuthenticationMethod.java files.

Recommendations: For Jenkins JMS Messaging Plugin versions 1.1.1 and earlier, consider restricting access to the Overall/Read permission to minimize the risk of exploitation. As a temporary workaround, consider disabling the use of SSLCertificateAuthenticationMethod.java and UsernameAuthenticationMethod.java until a patch is available.