CVE-2019-10332

Name of the Vulnerable Software and Affected Versions Jenkins ElectricFlow Plugin version 1.1.5 and earlier CloudBees CD Plugin (affected versions not specified)

Description A missing permission check in the Configuration#doTestConnection method allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials. This issue also involves a form validation method that did not require POST requests, resulting in a CSRF vulnerability. The form validation method now requires POST requests and Overall/Administer permissions.

Recommendations For Jenkins ElectricFlow Plugin version 1.1.5 and earlier, update to a version that includes the fix for the missing permission check in the Configuration#doTestConnection method. For CloudBees CD Plugin, ensure that the form validation method is updated to require POST requests and Overall/Administer permissions to mitigate the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability in CloudBees CD Plugin.