A server-side request forgery vulnerability exists in Jenkins TraceTronic ECU-TEST Plugin 2.3 and earlier in ATXPublisher.java that allows attackers to have Jenkins send HTTP requests to an attacker-specified host.

References

• https://nvd.nist.gov/vuln/detail/CVE-2018-1999026
• https://jenkins.io/security/advisory/2018-07-30/#SECURITY-994
• jenkinsci/ecutest-plugin@943c4d3
• https://web.archive.org/web/20200227115310/http://www.securityfocus.com/bid/104960