The vulnerability centers on missing permission checks in auto-complete API endpoints. Jenkins plugin conventions use 'doCheck' prefix methods for form validation endpoints. The security advisory explicitly mentions these metadata-exposing endpoints required adding Job/Configure permission checks in 4.2.0. The vulnerable functions are the validation handlers for cloud configuration parameters that were accessible with only Overall/Read permission prior to patching.