CVE-2019-10311

Name of the Vulnerable Software and Affected Versions Jenkins Ansible Tower Plugin versions 0.9.1 and earlier

Description A missing permission check in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins. This issue also resulted in a cross-site request forgery vulnerability due to the form validation method not requiring POST requests.

Recommendations For Jenkins Ansible Tower Plugin versions 0.9.1 and earlier, update the plugin to a version that requires POST requests and Overall/Administer permissions for the form validation method.