CVE-2019-10472
Description
A missing permission check in Jenkins Libvirt Slaves Plugin allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Libvirt Slaves Plugin missing permission check allows attackers with Overall/Read to capture stored credentials via attacker-controlled SSH server.
Vulnerability
CVE-2019-10472 is a missing permission check in the Jenkins Libvirt Slaves Plugin. The plugin fails to properly validate that a user has the required permissions when connecting to a specified SSH server, allowing attackers with Overall/Read permission to exploit this flaw [1][3].
Exploitation
To exploit, an attacker needs Overall/Read permission and must obtain credential IDs (e.g., through another vulnerability or by accessing configuration files). The attacker can then use the plugin to connect to an attacker-controlled SSH server, capturing the credentials stored in Jenkins [1]. The lack of a permission check on relevant form fields means that even low-privileged users can trigger this operation [4].
Impact
Successful exploitation allows an attacker to capture credentials stored in Jenkins, potentially leading to further compromise of Jenkins and connected systems [1][3]. The captured credentials may include SSH keys, passwords, or other secrets used for automation.
Mitigation
As of the advisory date, the issue remained unresolved in the Libvirt Slaves Plugin [2]. Administrators should restrict Overall/Read access where possible and monitor for unusual outbound SSH connections. A subsequent commit added HTTP method enforcement [4], but a full fix requires proper permission checks.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:libvirt-slaveMaven | < 1.8.6 | 1.8.6 |
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)range: 1.8.5 and earlier
Patches
2231c41e0e4ecEnsure POST requests
3 files changed · +14 −14
src/main/resources/hudson/plugins/libvirt/BeforeJobSnapshotJobProperty/config.jelly+1 −1 modified@@ -6,7 +6,7 @@ help="/plugin/libvirt-slave/help-libvirt-jobUseSnapshots.html"> <f:entry title="${%Before Run Snapshot}" field="snapshotName" help="/plugin/libvirt-slave/help-libvirt-beforeJobSnapshotJobProperty.html"> - <f:textbox class="setting-input" name="snapshotName" value="${instance.snapshotName}" /> + <f:textbox checkMethod="post" class="setting-input" name="snapshotName" value="${instance.snapshotName}" /> </f:entry> </f:optionalBlock>
src/main/resources/hudson/plugins/libvirt/Hypervisor/config.jelly+6 −6 modified@@ -9,24 +9,24 @@ xmlns:c="/lib/credentials" xmlns:t="/lib/hudson" xmlns:f="/lib/form"> </select> </f:entry> <f:entry title="${%Hypervisor Host}" field="hypervisorHost" help="/plugin/libvirt-slave/help-libvirt-hypervisorHost.html"> - <f:textbox /> + <f:textbox checkMethod="post"/> </f:entry> <f:entry title="${%Username}" field="username" help="/plugin/libvirt-slave/help-libvirt-username.html"> - <f:textbox /> + <f:textbox checkMethod="post"/> </f:entry> <f:advanced> <f:entry title="${%SSH Port}" field="hypervisorSshPort" help="/plugin/libvirt-slave/help-libvirt-hypervisorSshPort.html"> - <f:textbox default="22"/> + <f:textbox checkMethod="post" default="22"/> </f:entry> <f:entry title="${%URI parameters}" field="hypervisorSystemUrl" help="/plugin/libvirt-slave/help-libvirt-hypervisorUrl.html"> - <f:textbox default="system?no_tty=1"/> + <f:textbox checkMethod="post" default="system?no_tty=1"/> </f:entry> <f:entry title="${%Concurrent Slaves Capacity}" help="/plugin/libvirt-slave/help-libvirt-maxOnlineSlaves.html"> - <f:textbox clazz="required number" field="maxOnlineSlaves" /> + <f:textbox checkMethod="post" clazz="required number" field="maxOnlineSlaves" /> </f:entry> <f:entry title="${%Use Native Java libvirt client}" field="useNativeJavaConnection"> - <f:checkbox /> + <f:checkbox checkMethod="post"/> </f:entry> <f:entry title="${%Native Credentials}" field="credentialsId">
src/main/resources/hudson/plugins/libvirt/VirtualMachineSlave/configure-entries.jelly+7 −7 modified@@ -38,27 +38,27 @@ </f:entry> <f:entry title="${%Description}" help="/help/system-config/master-slave/description.html"> - <f:textbox field="nodeDescription"/> + <f:textbox checkMethod="post" field="nodeDescription"/> </f:entry> <f:entry title="${%Startup Idle (sec)}" field="startupWaitingPeriodSeconds" help="/plugin/libvirt-slave/help-libvirt-waitingperiod.html"> - <f:textbox default="60" checkUrl="'${rootURL}/plugin/libvirt-slave/checkStartupWaitingPeriodSeconds?secsValue='+this.value"/> + <f:textbox checkMethod="post" default="60" checkUrl="'${rootURL}/plugin/libvirt-slave/checkStartupWaitingPeriodSeconds?secsValue='+this.value"/> </f:entry> <f:entry title="${%Times to Retry Startup}" field="startupTimesToRetryOnFailure" help="/plugin/libvirt-slave/help-libvirt-timesToRetryOnFailure.html"> - <f:textbox default="0" checkUrl="'${rootURL}/plugin/libvirt-slave/checkStartupTimesToRetryOnFailure?retriesValue='+this.value"/> + <f:textbox checkMethod="post" default="0" checkUrl="'${rootURL}/plugin/libvirt-slave/checkStartupTimesToRetryOnFailure?retriesValue='+this.value"/> </f:entry> <f:entry title="${%# of executors}" field="numExecutors"> - <f:textbox/> + <f:textbox checkMethod="post"/> </f:entry> <f:entry title="${%Remote FS root}" field="remoteFS"> - <f:textbox/> + <f:textbox checkMethod="post"/> </f:entry> <f:entry title="${%Labels}" field="labelString"> - <f:textbox/> + <f:textbox checkMethod="post"/> </f:entry> <f:entry title="${%Shutdown Method}" field="shutdownMethod" help="/plugin/libvirt-slave/help-libvirt-shutdownMethod.html"> @@ -76,7 +76,7 @@ </f:entry> <f:entry title="${%Reboot this slave after each build}" field="rebootAfterRun"> - <f:checkbox/> + <f:checkbox checkMethod="post"/> </f:entry>
c671d68f9498Add permission checks
2 files changed · +4 −0
src/main/java/hudson/plugins/libvirt/Hypervisor.java+2 −0 modified@@ -497,6 +497,8 @@ public FormValidation doTestConnection(@QueryParameter String hypervisorType, @QueryParameter boolean useNativeJavaConnection, @QueryParameter String credentialsId) throws Exception, ServletException { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + try { if (hypervisorHost == null) { return FormValidation.error("Hypervisor Host is not specified!");
src/main/java/hudson/plugins/libvirt/PluginImpl.java+2 −0 modified@@ -113,6 +113,7 @@ public boolean apply(@Nullable final Hypervisor input) { public FormValidation doCheckStartupWaitingPeriodSeconds(@QueryParameter String secsValue) throws IOException, ServletException { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); try { int v = Integer.parseInt(secsValue); if (v < 0) { @@ -130,6 +131,7 @@ public FormValidation doCheckStartupWaitingPeriodSeconds(@QueryParameter String public FormValidation doCheckStartupTimesToRetryOnFailure(@QueryParameter String retriesValue) throws IOException, ServletException { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); try { int v = Integer.parseInt(retriesValue); if (v < 0) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-m36j-f2hf-qgj2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10472ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/10/23/2ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/libvirt-slave-plugin/commit/231c41e0e4ecb2d25247cc2775e1fe18d64a1703ghsaWEB
- github.com/jenkinsci/libvirt-slave-plugin/commit/c671d68f9498414a735913c9372ede8b4791bfeeghsaWEB
- jenkins.io/security/advisory/2019-10-23/mitrex_refsource_CONFIRM
- jenkins.io/security/advisory/2019-10-23/ghsaWEB
News mentions
0No linked articles in our index yet.