ASA-2019-00099 – Jenkins: Cross-Site Request Forgery (CSRF) vulnerability and missing permission checks in Job Import Plugin allowed capturing credentials

Job Import Plugin did not check user permissions on its API endpoint used to access remote Jenkins instances. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.