CVE-2019-16566

Name of the Vulnerable Software and Affected Versions Jenkins Team Concert Plugin versions 1.3.0 and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins. The form validation method does not require POST requests, resulting in a CSRF vulnerability.

Recommendations For Jenkins Team Concert Plugin versions 1.3.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.