CVE-2019-16565

Name of the Vulnerable Software and Affected Versions Jenkins Team Concert Plugin versions 1.3.0 and earlier

Description A cross-site request forgery issue allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs, potentially capturing credentials stored in Jenkins. This is due to a lack of permission checks on a method implementing form validation, which can be exploited by users with Overall/Read access to Jenkins. The form validation method is also vulnerable as it does not require POST requests.

Recommendations For Jenkins Team Concert Plugin versions 1.3.0 and earlier, as a temporary workaround, consider restricting access to the form validation method to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.