CVE-2019-10331

Name of the Vulnerable Software and Affected Versions Jenkins ElectricFlow Plugin version 1.1.5 and earlier CloudBees CD Plugin (affected versions not specified)

Description A cross-site request forgery issue allows attackers to connect to a specified URL using specified credentials. This is due to a missing permission check in a form validation method, which can be exploited by users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified username and password. The form validation method was also vulnerable because it did not require POST requests.

Recommendations For Jenkins ElectricFlow Plugin version 1.1.5 and earlier, update to a version that requires POST requests and has Overall/Administer permissions for the form validation method. For CloudBees CD Plugin, restrict access to the form validation method to users with Overall/Administer permissions and ensure that it requires POST requests.