Various form validation methods in Git Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability. External References: https://jenkins.io/security/advisory/2018-06-04/
This was fixed with the initial release of OCP 3.11: https://access.redhat.com/errata/RHBA-2018:2652 "Any security advisory related updates to Jenkins core or the plugins we include in the OpenShift Jenkins master image will only occur in the v3.11 and v4.x branches of this repository." https://github.com/openshift/jenkins/blob/master/README.md#jenkins-security-advisories-the-master-image-from-this-repository-and-the-oc-binary