A missing permission check in Jenkins Contrast Continuous Application Security Plugin version 3.11 and earlier allows an attacker with Overall or Read access to configure the plugin to direct the Jenkins server to connect to an arbitrary URL using attacker‑supplied credentials. This flaw permits the attacker to force outbound network traffic from the Jenkins instance, potentially exposing sensitive data or sending data to a malicious endpoint. The vulnerability is an improper access control flaw (CWE-284) that enables unauthorized external connectivity.

The vulnerability affects the Jenkins Project’s Contrast Continuous Application Security Plugin versions 3.11 and earlier. Any Jenkins versions is potentially impacted if users are granted Overall or Read permissions.

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation. However, based on the description, the attack requires only legitimate access to the Jenkins UI with Overall or Read privileges, which many users may possess in typical environments. The risk level can be inferred as moderate to high because the attacker can cause the system to initiate outbound connections that may lead to data exfiltration or interaction with compromised external services. No direct evidence of remote code execution is provided by the description.