The URL that initiates agent launches on the Jenkins master before 2.133 did not perform a permission check, allowing users with Overall/Read permission to initiate agent launches. Doing so canceled all ongoing launches for the specified agent, so this allowed attackers to prevent an agent from launching indefinitely.
The URL that initiates agent launches on the Jenkins master before 2.133 did not perform a permission check, allowing users with Overall/Read permission to initiate agent launches. Doing so canceled all ongoing launches for the specified agent, so this allowed attackers to prevent an agent from launching indefinitely.
https://jenkins.io/security/advisory/2018-07-18/