CVE-2019-10368
Description
CSRF vulnerability in Jenkins JClouds Plugin allows attackers with Overall/Read access to capture stored credentials by tricking a user into connecting to an attacker-controlled URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF vulnerability in Jenkins JClouds Plugin allows attackers with Overall/Read access to capture stored credentials by tricking a user into connecting to an attacker-controlled URL.
Vulnerability
Overview
CVE-2019-10368 is a cross-site request forgery (CSRF) vulnerability in the Jenkins JClouds Plugin versions 2.14 and earlier. The flaw exists in the BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection methods, which lack a proper permission check and CSRF protection. This allows an attacker to craft a malicious request that, when executed by an authenticated Jenkins user, can connect to an attacker-specified URL using attacker-specified credential IDs [1][2].
Exploitation
Prerequisites
To exploit this vulnerability, an attacker must first obtain valid credential IDs stored in Jenkins, which could be achieved through another vulnerability or information disclosure. The attacker then needs to trick a user with at least Overall/Read access into performing an action (e.g., clicking a link) that triggers the CSRF request. No additional authentication is required beyond the victim's session [1].
Impact
Successful exploitation allows the attacker to capture credentials stored in Jenkins by having the victim's browser connect to an attacker-controlled server with the specified credential IDs. This can lead to the compromise of sensitive credentials used for cloud services and other integrations [1][2].
Mitigation
The vulnerability is fixed in JClouds Plugin version 2.15, released on August 7, 2019. Users are advised to upgrade immediately. No workaround is available for earlier versions [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:jclouds-jenkinsMaven | < 2.15 | 2.15 |
Affected products
2- Range: 2.14 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-87hx-q65g-r35xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10368ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/08/07/1ghsamailing-listx_refsource_MLISTWEB
- jenkins.io/security/advisory/2019-08-07/ghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/r42b7ff290ed5ec8f27f12c54fff54462ffc4bcf6a5015c37fece94ac%40%3Cnotifications.jclouds.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r6c4693d03d15391814c647742db49a4d9937fa34573fb66103d57b45%40%3Cnotifications.jclouds.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r725e55670dbdd214f3cfdfea255b72a75fa9a4f0c6c9d109b29c7881%40%3Cnotifications.jclouds.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
News mentions
0No linked articles in our index yet.