The Jenkins Mailer Plugin through version 1.20 is missing a permissions check in the Mailer.java:doSendTestMail() function. Users with Overall/Read access are able to connect to a user-specified mail server with user-specified credentials to send a test email to a user-specified email address. The email subject and body could not be changed. This could result in DoS if, for example, specifying a valid mail server but invalid credentials.
As the same URL did not require POST to be used, it also was vulnerable to cross-site request forgery.
Upstream Advisory:
https://jenkins.io/security/advisory/2018-03-26/
Upstream Patch:
https://github.com/jenkinsci/mailer-plugin/commit/98e79cf904769907f83894e29f50ed6b3e7eb135