ASA-2019-00100 – Jenkins: Cross-Site Request Forgery (CSRF) vulnerability in Job Import Plugin allowed creating and overwriting jobs

Job Import Plugin did not require that POST requests are sent to its /import URL, which processes requests to import jobs. This resulted in a cross-site request forgery (CSRF) vulnerability that could be exploited to create or replace jobs on the local instance if the remote Jenkins instance has different ones with the same name, or to install additional plugins, if jobs on the remote Jenkins instance reference them in their configuration. Job Import Plugin 3.0 restricted which remote Jenkins instances jobs can be imported from, limiting how this can be exploited. From Job Import Plugin 3.1, the /import URL requires that requests are sent via POST.