A data modification vulnerability exists in Jenkins Resource Disposer Plugin 0.11 and earlier in AsyncResourceDisposer.java that allows attackers to stop tracking a specified resource. Additionally, this API endpoint did not require POST requests, resulting in a CSRF vulnerability. As of version 0.12, this API endpoint requires POST requests and Overall/Administer permissions.

References

• https://nvd.nist.gov/vuln/detail/CVE-2018-1999037
• https://jenkins.io/security/advisory/2018-07-30/#SECURITY-997
• jenkinsci/resource-disposer-plugin@d826a99