Description
A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.
Remediation
References
Related Vulnerabilities
WordPress Plugin Dean's FCKEditor with pwwang's code Arbitrary File Upload (1.0.0)
Mailman Improper Restriction of Excessive Authentication Attempts Vulnerability (CVE-2021-42096)
Sqlite Improper Initialization Vulnerability (CVE-2020-11655)
WordPress Plugin DELUCKS SEO Unspecified Vulnerability (1.2.2)
WordPress Plugin Theme Blvd Widget Areas Multiple Security Bypass Vulnerabilities (1.2.2)