CVE-2019-10324

Name of the Vulnerable Software and Affected Versions Jenkins Artifactory Plugin versions 3.2.2 and earlier

Description A cross-site request forgery issue allows attackers to perform certain actions, including scheduling a release build, performing release staging for Gradle and Maven projects, and promoting previously staged builds. This is possible due to vulnerabilities in the ReleaseAction#doSubmit, GradleReleaseApiAction#doStaging, MavenReleaseApiAction#doStaging, and UnifiedPromoteBuildAction#doSubmit functions.

Recommendations For Jenkins Artifactory Plugin versions 3.2.2 and earlier, consider disabling the ReleaseAction#doSubmit, GradleReleaseApiAction#doStaging, MavenReleaseApiAction#doStaging, and UnifiedPromoteBuildAction#doSubmit functions as a temporary workaround until a patch is available. Restrict access to these functions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.