CVE-2019-10368

Name of the Vulnerable Software and Affected Versions Jenkins JClouds Plugin versions 2.14 and earlier

Description A cross-site request forgery issue allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs, potentially capturing credentials stored in Jenkins. The vulnerability is due to a lack of permission checks on a form validation method, which also did not require POST requests.

Recommendations For Jenkins JClouds Plugin versions 2.14 and earlier, update the plugin to a version that requires POST requests and Overall/Administer permission for the form validation method, thus preventing the cross-site request forgery vulnerability.