A cross-site request forgery vulnerability in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins
{
"source": "CPE_RANGE",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "0.9.1"
}
],
"cpe": "cpe:2.3:a:jenkins:ansible_tower:*:*:*:*:*:jenkins:*:*"
}