CVE-2019-10369
Description
Missing permission check in Jenkins JClouds Plugin allows users with Overall/Read access to connect to attacker-specified URLs and capture stored credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission check in Jenkins JClouds Plugin allows users with Overall/Read access to connect to attacker-specified URLs and capture stored credentials.
Vulnerability
Overview
CVE-2019-10369 is a missing permission check in the Jenkins JClouds Plugin versions 2.14 and earlier. The flaw exists in the BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection methods, which do not properly verify that the user has the required permissions to perform connection tests. This allows users with only Overall/Read access to invoke these methods, bypassing the intended authorization checks [1][2].
Exploitation
An attacker must first obtain valid credentials IDs stored in Jenkins, which could be achieved through other vulnerabilities or information disclosure. With Overall/Read access, the attacker can then use the test connection functionality to connect to an attacker-specified URL using those credentials IDs. The plugin will attempt the connection and, in doing so, capture the credentials, making them available to the attacker [1]. The attack does not require any additional privileges beyond Overall/Read, making it a low-barrier exploitation path.
Impact
Successful exploitation allows an attacker to capture credentials stored in Jenkins, such as passwords, API tokens, or SSH keys. This can lead to further compromise of Jenkins and connected systems. The vulnerability is rated as Medium severity (CVSS score not explicitly provided in references, but described as Medium in the advisory) [1][3].
Mitigation
The issue is fixed in JClouds Plugin version 2.15. Users are strongly advised to upgrade to this version or later. No workaround is mentioned in the advisory, but administrators should ensure that only trusted users have Overall/Read access and monitor for suspicious test connection attempts [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:jclouds-jenkinsMaven | < 2.15 | 2.15 |
Affected products
2- Range: 2.14 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-7wxc-7qrg-rg6wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10369ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/08/07/1ghsamailing-listx_refsource_MLISTWEB
- jenkins.io/security/advisory/2019-08-07/ghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/r42b7ff290ed5ec8f27f12c54fff54462ffc4bcf6a5015c37fece94ac%40%3Cnotifications.jclouds.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r42b7ff290ed5ec8f27f12c54fff54462ffc4bcf6a5015c37fece94ac@%3Cnotifications.jclouds.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r6c4693d03d15391814c647742db49a4d9937fa34573fb66103d57b45%40%3Cnotifications.jclouds.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r6c4693d03d15391814c647742db49a4d9937fa34573fb66103d57b45@%3Cnotifications.jclouds.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r725e55670dbdd214f3cfdfea255b72a75fa9a4f0c6c9d109b29c7881%40%3Cnotifications.jclouds.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r725e55670dbdd214f3cfdfea255b72a75fa9a4f0c6c9d109b29c7881@%3Cnotifications.jclouds.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.