High severityNVD Advisory· Published Oct 23, 2019· Updated Aug 4, 2024

CVE-2019-10471

Description

A cross-site request forgery vulnerability in Jenkins Libvirt Slaves Plugin allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Libvirt Slaves Plugin CSRF allows attackers to connect to attacker-controlled SSH servers, capturing stored credentials.

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Libvirt Slaves Plugin, because many of its configuration forms lack proper CSRF protection. The plugin did not enforce a check of the HTTP method (e.g., POST) for form submissions, allowing attackers to forge requests on behalf of authenticated users [1][4]. Specifically, the input fields in forms such as snapshotName, hypervisorHost, username, and others were missing the checkMethod="post" attribute, making them vulnerable to CSRF attacks [4].

To exploit this vulnerability, an attacker must trick a Jenkins user with sufficient permissions (e.g., who can configure Libvirt Slaves) into clicking a crafted link or visiting a malicious page that submits a request to the Jenkins server. The attacker also needs to know valid credentials IDs (obtained through other means, such as reading Jenkins files if accessible) and specify an attacker-controlled SSH server [1]. The forged request then connects Jenkins to the attacker's SSH server using those credentials.

The impact is that an attacker can capture the credentials stored in Jenkins by causing the plugin to connect to an SSH server under their control. This could lead to credential theft and further compromise of the Jenkins environment [1][2]. The vulnerability is rated with a medium severity.

The Jenkins project released a security advisory on 2019-10-23 and fixed the plugin by adding checkMethod="post" to all relevant form entries, as seen in commit 231c41e [4]. Users are advised to update the Libvirt Slaves Plugin to a version containing this fix. There are no known workarounds; updating is the recommended mitigation [1].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:libvirt-slaveMaven	< 1.8.6	1.8.6

Affected products

Jenkins Project/Libvirt Slaves Pluginllm-fuzzy2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: 1.8.5 and earlier
ghsa-coords
pkg:maven/org.jenkins-ci.plugins/libvirt-slave
Range: < 1.8.6

Patches

231c41e0e4ec

Ensure POST requests

https://github.com/jenkinsci/libvirt-slave-pluginBenedikt SprangerJun 8, 2020via ghsa

commit

3 files changed · +14 −14

src/main/resources/hudson/plugins/libvirt/BeforeJobSnapshotJobProperty/config.jelly+1 −1 modified

@@ -6,7 +6,7 @@
                      help="/plugin/libvirt-slave/help-libvirt-jobUseSnapshots.html">
 
         <f:entry title="${%Before Run Snapshot}" field="snapshotName" help="/plugin/libvirt-slave/help-libvirt-beforeJobSnapshotJobProperty.html">
-            <f:textbox class="setting-input" name="snapshotName" value="${instance.snapshotName}" />
+            <f:textbox checkMethod="post" class="setting-input" name="snapshotName" value="${instance.snapshotName}" />
         </f:entry>
 
     </f:optionalBlock>

src/main/resources/hudson/plugins/libvirt/Hypervisor/config.jelly+6 −6 modified

@@ -9,24 +9,24 @@ xmlns:c="/lib/credentials" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
         </select>
     </f:entry>
     <f:entry title="${%Hypervisor Host}" field="hypervisorHost" help="/plugin/libvirt-slave/help-libvirt-hypervisorHost.html">
-        <f:textbox />
+        <f:textbox checkMethod="post"/>
     </f:entry>
     <f:entry title="${%Username}" field="username" help="/plugin/libvirt-slave/help-libvirt-username.html">
-        <f:textbox />
+        <f:textbox checkMethod="post"/>
     </f:entry>
     <f:advanced>
         <f:entry title="${%SSH Port}" field="hypervisorSshPort" help="/plugin/libvirt-slave/help-libvirt-hypervisorSshPort.html">
-            <f:textbox default="22"/>
+            <f:textbox checkMethod="post" default="22"/>
         </f:entry>
         <f:entry title="${%URI parameters}" field="hypervisorSystemUrl" help="/plugin/libvirt-slave/help-libvirt-hypervisorUrl.html">
-            <f:textbox default="system?no_tty=1"/>
+            <f:textbox checkMethod="post" default="system?no_tty=1"/>
         </f:entry>
         <f:entry title="${%Concurrent Slaves Capacity}" help="/plugin/libvirt-slave/help-libvirt-maxOnlineSlaves.html">
-            <f:textbox clazz="required number" field="maxOnlineSlaves" />
+            <f:textbox checkMethod="post" clazz="required number" field="maxOnlineSlaves" />
         </f:entry>
 
         <f:entry title="${%Use Native Java libvirt client}" field="useNativeJavaConnection">
-            <f:checkbox />
+            <f:checkbox checkMethod="post"/>
         </f:entry>
 
         <f:entry title="${%Native Credentials}" field="credentialsId">

src/main/resources/hudson/plugins/libvirt/VirtualMachineSlave/configure-entries.jelly+7 −7 modified

@@ -38,27 +38,27 @@
     </f:entry>
 
     <f:entry title="${%Description}" help="/help/system-config/master-slave/description.html">
-        <f:textbox field="nodeDescription"/>
+        <f:textbox checkMethod="post" field="nodeDescription"/>
     </f:entry>
 
     <f:entry title="${%Startup Idle (sec)}" field="startupWaitingPeriodSeconds" help="/plugin/libvirt-slave/help-libvirt-waitingperiod.html">
-        <f:textbox default="60" checkUrl="'${rootURL}/plugin/libvirt-slave/checkStartupWaitingPeriodSeconds?secsValue='+this.value"/>
+        <f:textbox checkMethod="post" default="60" checkUrl="'${rootURL}/plugin/libvirt-slave/checkStartupWaitingPeriodSeconds?secsValue='+this.value"/>
     </f:entry>
 
     <f:entry title="${%Times to Retry Startup}" field="startupTimesToRetryOnFailure" help="/plugin/libvirt-slave/help-libvirt-timesToRetryOnFailure.html">
-        <f:textbox default="0" checkUrl="'${rootURL}/plugin/libvirt-slave/checkStartupTimesToRetryOnFailure?retriesValue='+this.value"/>
+        <f:textbox checkMethod="post" default="0" checkUrl="'${rootURL}/plugin/libvirt-slave/checkStartupTimesToRetryOnFailure?retriesValue='+this.value"/>
     </f:entry>
 
     <f:entry title="${%# of executors}" field="numExecutors">
-        <f:textbox/>
+        <f:textbox checkMethod="post"/>
     </f:entry>
 
     <f:entry title="${%Remote FS root}" field="remoteFS">
-        <f:textbox/>
+        <f:textbox checkMethod="post"/>
     </f:entry>
 
     <f:entry title="${%Labels}" field="labelString">
-        <f:textbox/>
+        <f:textbox checkMethod="post"/>
     </f:entry>
 
     <f:entry title="${%Shutdown Method}" field="shutdownMethod" help="/plugin/libvirt-slave/help-libvirt-shutdownMethod.html">
@@ -76,7 +76,7 @@
     </f:entry>
 
     <f:entry title="${%Reboot this slave after each build}" field="rebootAfterRun">
-        <f:checkbox/>
+        <f:checkbox checkMethod="post"/>
     </f:entry>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-m295-m3x4-3mmcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-10471ghsaADVISORY
www.openwall.com/lists/oss-security/2019/10/23/2ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/libvirt-slave-plugin/commit/231c41e0e4ecb2d25247cc2775e1fe18d64a1703ghsaWEB
jenkins.io/security/advisory/2019-10-23/mitrex_refsource_CONFIRM
jenkins.io/security/advisory/2019-10-23/ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000