CVE-2019-10473
Description
A missing permission check in Jenkins Libvirt Slaves Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Libvirt Slaves Plugin fails to check permissions in form-related methods, allowing users with Overall/Read access to enumerate stored credentials IDs.
Vulnerability
CVE-2019-10473 in the Jenkins Libvirt Slaves Plugin is a missing permission check in form-related methods that allows users with Overall/Read access to enumerate the IDs of credentials stored in Jenkins. The vulnerability was reported in the Jenkins Security Advisory 2019-10-23 [1][2].
Exploitation
An attacker with Overall/Read permission on a Jenkins instance can exploit this flaw without any additional authentication. The form-related methods do not enforce proper access control, enabling the attacker to list credential IDs that are stored in Jenkins, even though they would not normally have access to those credentials [1].
Impact
By enumerating credential IDs, an attacker can gather information about the types and locations of credentials stored in Jenkins, which may aid in further targeted attacks. While the credentials themselves are not exposed, the disclosure of IDs can be a stepping stone for privilege escalation or lateral movement [1].
Mitigation
At the time of the advisory, no fix was available for the Libvirt Slaves Plugin. The advisory notes that the plugin was listed as an unresolved security issue [2]. Subsequent releases of the plugin (e.g., 315.v5d33b_333a_551) may include fixes, but users should verify and upgrade accordingly. The official Jenkins security advisory recommends applying plugin updates as they become available [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:libvirt-slaveMaven | < 1.8.6 | 1.8.6 |
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)range: 1.8.5 and earlier
Patches
1c671d68f9498Add permission checks
2 files changed · +4 −0
src/main/java/hudson/plugins/libvirt/Hypervisor.java+2 −0 modified@@ -497,6 +497,8 @@ public FormValidation doTestConnection(@QueryParameter String hypervisorType, @QueryParameter boolean useNativeJavaConnection, @QueryParameter String credentialsId) throws Exception, ServletException { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + try { if (hypervisorHost == null) { return FormValidation.error("Hypervisor Host is not specified!");
src/main/java/hudson/plugins/libvirt/PluginImpl.java+2 −0 modified@@ -113,6 +113,7 @@ public boolean apply(@Nullable final Hypervisor input) { public FormValidation doCheckStartupWaitingPeriodSeconds(@QueryParameter String secsValue) throws IOException, ServletException { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); try { int v = Integer.parseInt(secsValue); if (v < 0) { @@ -130,6 +131,7 @@ public FormValidation doCheckStartupWaitingPeriodSeconds(@QueryParameter String public FormValidation doCheckStartupTimesToRetryOnFailure(@QueryParameter String retriesValue) throws IOException, ServletException { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); try { int v = Integer.parseInt(retriesValue); if (v < 0) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-8j3m-j6x6-cp5vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10473ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/10/23/2ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/libvirt-slave-plugin/commit/c671d68f9498414a735913c9372ede8b4791bfeeghsaWEB
- jenkins.io/security/advisory/2019-10-23/mitrex_refsource_CONFIRM
- jenkins.io/security/advisory/2019-10-23/ghsaWEB
News mentions
0No linked articles in our index yet.