A server-side request forgery vulnerability exists in Jenkins Confluence Publisher Plugin 2.0.1 and earlier in ConfluenceSite.java that allows attackers to have Jenkins submit login requests to an attacker-specified Confluence server URL with attacker specified credentials.

References

• https://nvd.nist.gov/vuln/detail/CVE-2018-1999039
• https://jenkins.io/security/advisory/2018-07-30/#SECURITY-982