The Jenkins Mailer Plugin through version 1.20 is missing a permissions check in the Mailer.java:doSendTestMail() function. Users with Overall/Read access are able to connect to a user-specified mail server with user-specified credentials to send a test email to a user-specified email address. The email subject and body could not be changed. This could result in DoS if, for example, specifying a valid mail server but invalid credentials. As the same URL did not require POST to be used, it also was vulnerable to cross-site request forgery. Upstream Advisory: https://jenkins.io/security/advisory/2018-03-26/ Upstream Patch: https://github.com/jenkinsci/mailer-plugin/commit/98e79cf904769907f83894e29f50ed6b3e7eb135
Created jenkins-mailer-plugin tracking bugs for this issue: Affects: fedora-all [bug 1561288]