CVE-2019-16547
Description
Missing permission checks in Jenkins Google Compute Engine Plugin API endpoints expose limited configuration and environment details to users with Overall/Read permission.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission checks in Jenkins Google Compute Engine Plugin API endpoints expose limited configuration and environment details to users with Overall/Read permission.
Analysis
CVE-2019-16547 describes missing permission checks in various API endpoints of the Jenkins Google Compute Engine Plugin (versions 4.1.1 and earlier). The root cause is that these endpoints fail to enforce adequate authorization, allowing a user with only the low-privilege Overall/Read permission to access information that should require higher privileges [1][2].
An attacker who has authenticated access to a Jenkins instance with at least Overall/Read permission can leverage these endpoints to obtain limited information about the plugin's configuration and environment [3]. No further authentication or network access is required beyond standard Jenkins access [2].
The impact is limited to information disclosure; an attacker can learn details about the plugin's configuration (e.g., cloud provider settings, credentials indirectly) and the underlying environment, which could aid in planning further attacks [1].
Jenkins fixed this issue in Google Compute Engine Plugin version 4.2.0, released on November 21, 2019 [3]. Users are advised to upgrade to the latest version to restrict endpoint access to authorized users [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:google-compute-engineMaven | < 4.2.0 | 4.2.0 |
Affected products
2- Range: 4.1.1 and earlier
Patches
139153c58a403[maven-release-plugin] prepare release google-compute-engine-4.2.0
1 file changed · +2 −2
pom.xml+2 −2 modified@@ -23,7 +23,7 @@ </parent> <artifactId>google-compute-engine</artifactId> - <version>4.2.0-SNAPSHOT</version> + <version>4.2.0</version> <packaging>hpi</packaging> <name>Google Compute Engine Plugin</name> @@ -63,7 +63,7 @@ <connection>scm:git:ssh://github.com/jenkinsci/google-compute-engine-plugin.git</connection> <developerConnection>scm:git:ssh://git@github.com/jenkinsci/google-compute-engine-plugin.git</developerConnection> <url>https://github.com/jenkinsci/google-compute-engine-plugin</url> - <tag>HEAD</tag> + <tag>google-compute-engine-4.2.0</tag> </scm> <properties>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-v98h-rv7j-hf6jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-16547ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/11/21/1ghsamailing-listx_refsource_MLISTWEB
- jenkins.io/security/advisory/2019-11-21/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.