CVE-2019-10408

Name of the Vulnerable Software and Affected Versions Jenkins Project Inheritance Plugin version 2.0.0 and earlier

Description A cross-site request forgery issue exists due to a missing permission check in an HTTP endpoint that triggers project creation from templates. This allowed users with Overall/Read permission to create projects, and since the endpoint did not require POST requests, it resulted in a CSRF issue. The affected plugin allows the creation of projects based on predefined templates.

Recommendations For Jenkins Project Inheritance Plugin version 2.0.0 and earlier, update the plugin to a version that requires Item/Create permission for project creation and ensures that the HTTP endpoint for triggering project creation only accepts POST requests.