CVE-2019-10310

Name of the Vulnerable Software and Affected Versions Jenkins Ansible Tower Plugin version 0.9.1 and earlier

Description A cross-site request forgery issue allowed attackers to connect to a specified URL using specified credentials IDs, potentially capturing stored credentials in Jenkins. The vulnerability arose from a lack of permission checks on a form validation method, enabling users with Overall/Read access to exploit it. The method also did not require POST requests, further contributing to the vulnerability.

Recommendations For Jenkins Ansible Tower Plugin version 0.9.1 and earlier, update the plugin to a version that requires POST requests and Overall/Administer permissions for the form validation method, such as the version that includes the fix for this issue. As a temporary workaround, consider restricting access to the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method to users with Overall/Administer permissions until a patch is applied.