CVE-2019-16548

Name of the Vulnerable Software and Affected Versions Jenkins Google Compute Engine Plugin versions 4.1.1 and earlier

Description A cross-site request forgery issue exists in the ComputeEngineCloud#doProvision function, which could be used to provision new agents. The Google Compute Engine Plugin version 4.2.0 mitigates this by requiring POST requests for the affected API endpoint.

Recommendations For Jenkins Google Compute Engine Plugin versions 4.1.1 and earlier, consider updating to version 4.2.0 or later, which requires POST requests for the affected API endpoint, to prevent cross-site request forgery attacks. As a temporary workaround, consider restricting access to the ComputeEngineCloud#doProvision function until a patch is available.