A server-side request forgery vulnerability exists in Jenkins GitHub Plugin 1.29.0 and older in GitHubPluginConfig.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.

References

• https://nvd.nist.gov/vuln/detail/CVE-2018-1000184
• https://jenkins.io/security/advisory/2018-06-04/#SECURITY-799
• jenkinsci/github-plugin@9a20b7d