CVE-2019-16548
Description
Jenkins Google Compute Engine Plugin 4.1.1 and earlier is vulnerable to CSRF, allowing an attacker to provision new agents without proper request validation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Google Compute Engine Plugin 4.1.1 and earlier is vulnerable to CSRF, allowing an attacker to provision new agents without proper request validation.
A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Google Compute Engine Plugin, versions 4.1.1 and earlier. The doProvision method in ComputeEngineCloud lacked the @RequirePOST annotation, meaning it would accept GET requests, making it susceptible to CSRF attacks [1][2][4].
To exploit this, an attacker can craft a malicious link or web page that, when visited by an authenticated Jenkins user, triggers a GET request to the doProvision endpoint. No additional authentication or privileges are required beyond the victim's session [1][2].
The impact is that an attacker can provision new agents on the Google Compute Engine, potentially leading to unauthorized resource usage or further compromise within the Jenkins environment [1][3]. The plugin does not validate the origin or require a deliberate POST action, enabling this attack.
The vulnerability is fixed in Google Compute Engine Plugin version 4.2.0, which adds @RequirePOST to the doProvision method [2][4]. Users should upgrade to this version or later to mitigate the risk.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:google-compute-engineMaven | < 4.2.0 | 4.2.0 |
Affected products
2- Range: 4.1.1 and earlier
Patches
239153c58a403[maven-release-plugin] prepare release google-compute-engine-4.2.0
1 file changed · +2 −2
pom.xml+2 −2 modified@@ -23,7 +23,7 @@ </parent> <artifactId>google-compute-engine</artifactId> - <version>4.2.0-SNAPSHOT</version> + <version>4.2.0</version> <packaging>hpi</packaging> <name>Google Compute Engine Plugin</name> @@ -63,7 +63,7 @@ <connection>scm:git:ssh://github.com/jenkinsci/google-compute-engine-plugin.git</connection> <developerConnection>scm:git:ssh://git@github.com/jenkinsci/google-compute-engine-plugin.git</developerConnection> <url>https://github.com/jenkinsci/google-compute-engine-plugin</url> - <tag>HEAD</tag> + <tag>google-compute-engine-4.2.0</tag> </scm> <properties>
aaf81996741cSECURITY-1586: Use @RequirePOST on ComputeEngineCloud methods.
1 file changed · +3 −0
src/main/java/com/google/jenkins/plugins/computeengine/ComputeEngineCloud.java+3 −0 modified@@ -72,6 +72,7 @@ import org.kohsuke.stapler.DataBoundSetter; import org.kohsuke.stapler.HttpResponse; import org.kohsuke.stapler.QueryParameter; +import org.kohsuke.stapler.interceptor.RequirePOST; @Getter @Log @@ -409,6 +410,7 @@ public InstanceConfiguration getInstanceConfigurationByDescription(String descri return null; } + @RequirePOST public HttpResponse doProvision(@QueryParameter String configuration) throws ServletException, IOException { checkPermissions(PROVISION); @@ -479,6 +481,7 @@ public ListBoxModel doFillCredentialsIdItems( StandardCredentials.class, context, ACL.SYSTEM, domainRequirements)); } + @RequirePOST public FormValidation doCheckCredentialsId( @AncestorInPath Jenkins context, @QueryParameter("projectId") String projectId,
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-x24m-wr2f-p3vcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-16548ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/11/21/1ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/google-compute-engine-plugin/commit/aaf81996741c67229982f70b3eaa83894e035025ghsaWEB
- jenkins.io/security/advisory/2019-11-21/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.