Description
A missing permission check in Jenkins Artifactory Plugin 3.2.2 and earlier in ArtifactoryBuilder.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Remediation
References
Related Vulnerabilities
WordPress Plugin WP Prayer Cross-Site Request Forgery (1.5.4)
WordPress Plugin Custom 404 Pro Cross-Site Scripting (3.2.7)
WordPress Permissions, Privileges, and Access Controls Vulnerability (CVE-2010-0682)
WordPress Plugin Ghost Arbitrary File Download (0.5.5)
OpenSSL Missing Encryption of Sensitive Data Vulnerability (CVE-2019-1563)