This vulnerability is a cross‑site request forgery that lets an attacker make the Jenkins Assembla Plugin 1.4 and earlier reach an arbitrary URL chosen by the attacker, supplying any username and password the attacker wishes to use. The result is that the Jenkins server can act as a client to external services on behalf of the attacker, potentially authorizing against those services with credentials that the attacker controls. The weakness is defined as CWE‑352.

The flaw affects Jenkins Project’s Assembla Plugin version 1.4 and all earlier releases. Any Jenkins installation that has this plugin installed at these versions is potentially vulnerable. The exact version range is 1.4 and lower; later releases are unknown to be unaffected.

The CVSS score for this issue is 5.4, indicating a moderate severity. An EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation at this time. Because the flaw is a CSRF attack that requires a forged request from a user already authenticated to the Jenkins instance, the risk depends on the presence of a privileged user session that can be co‑erased. If such a session exists, the attacker may be able to force the server to connect to arbitrary endpoints with supplied credentials, creating a covert channel for external communication. Overall, the exploitation likelihood is moderate given the need for a valid user session and the absence of known public exploits.