CVE-2019-1003043

Name of the Vulnerable Software and Affected Versions: Jenkins Slack Notification Plugin versions 2.19 and earlier

Description: A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins. The issue is related to a method implementing form validation that did not perform permission checks, allowing users with Overall/Read access to exploit the vulnerability. Additionally, this method was vulnerable to cross-site request forgery as it did not require POST requests.

Recommendations: For Jenkins Slack Notification Plugin versions 2.19 and earlier, update the plugin to a version that requires POST requests and has proper permission checks in place, such as Overall/Administer for global configuration or Item/Configure permissions for job configuration.