A missing permission check in a form validation method in CloudBees CD Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified username and password.
Additionally, the form validation method did not require POST requests, resulting in a CSRF vulnerability.
This form validation method now requires POST requests and Overall/Administer permissions.
{ "nvd_published_at": "2019-06-11T14:29:00Z", "cwe_ids": [ "CWE-862" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-10-26T22:16:26Z" }