Chef Sinatra Plugin 1.20 and earlier does not perform a permission check in a method implementing form validation.
As the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, attackers can have Jenkins parse a crafted XML response that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.