CVE-2019-10322

Name of the Vulnerable Software and Affected Versions Jenkins Artifactory Plugin versions 3.2.2 and earlier

Description A missing permission check in the Jenkins Artifactory Plugin allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins. The form validation method does not require POST requests, resulting in a cross-site request forgery issue.

Recommendations For Jenkins Artifactory Plugin versions 3.2.2 and earlier, as a temporary workaround, consider disabling the ArtifactoryBuilder.DescriptorImpl#doTestConnection method until a patch is available. Restrict access to the form validation method to minimize the risk of exploitation. Avoid using the credentials IDs in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.