Jenkins Improper Input Validation Vulnerability - CVE-2017-1000401

The Jenkins 2.73.1 and earlier 2.83 and earlier default form control for passwords and other secrets ltf:password/gt supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins and made available to users with access to these log files. Form validation for ltf:password/gt is now always sent via POST which is typically not logged.