The form validation code for a tool installer improperly checked permissions, allowing any user with Overall/Read permission to submit a HTTP GET request to any user specified URL, and learn whether the response was successful (HTTP 200) or not. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks. External References: https://jenkins.io/security/advisory/2018-05-09/
Created jenkins tracking bugs for this issue: Affects: fedora-all [bug 1576715]