Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed malicious users to perform several administrative actions by tricking a victim into opening a web page. The most notable ones:
SECURITY-412: Restart Jenkins immediately, after all builds are finished, or after all plugin installations and builds are finished
SECURITY-412: Schedule a downgrade of Jenkins to a previously installed version if Jenkins previously upgraded itself
SECURITY-413: Install and (optionally) dynamically load any plugin present on a configured update site
SECURITY-414: Remove any update site from the Jenkins configuration
SECURITY-415: Change a userβs API token
SECURITY-416: Submit system configuration
SECURITY-417: Submit global security configuration
SECURITY-418, SECURITY-420: For Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process
SECURITY-419: Create a new agent, possibly executing arbitrary shell commands on the master node by choosing the appropriate launch method
SECURITY-420: Cancel a scheduled restart
SECURITY-420: Configure the global logging levels
SECURITY-420: Create a copy of an existing agent
SECURITY-420: Create copies of views in usersβ βMy Viewsβ or as children of the experimental βTree Viewβ feature
SECURITY-420: Enter βquiet downβ mode in which no new builds are started
SECURITY-420: On Windows, after successful installation as a service, restart
SECURITY-420: On Windows, try to install Jenkins as a service
SECURITY-420: Set the descriptions of items (jobs), builds, and users
SECURITY-420: Submit global tools configuration (Jenkins 2.0 and up)
SECURITY-420: Toggle keeping a build forever (i.e. exclude or include it in log rotation)
SECURITY-420: Try to connect all disconnected agents simultaneously
SECURITY-420: Update the node monitor data on all agents
The above, as well as several other more minor issues, have all been fixed and these actions now require POST requests, and, if configured, a CSRF crumb, to work.