CVE-2019-10321

Name of the Vulnerable Software and Affected Versions Jenkins Artifactory Plugin versions 3.2.2 and earlier

Description A cross-site request forgery issue allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs, potentially capturing credentials stored in Jenkins. The vulnerability is due to a lack of permission checks on a method implementing form validation, which also does not require POST requests.

Recommendations For Jenkins Artifactory Plugin versions 3.2.2 and earlier, as a temporary workaround, consider restricting access to the ArtifactoryBuilder.DescriptorImpl#doTestConnection method until a patch is available. Additionally, restrict the use of the form validation method to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.