CVE-2021-21627
Description
A cross-site request forgery (CSRF) vulnerability in Jenkins Libvirt Agents Plugin 1.9.0 and earlier allows attackers to stop hypervisor domains.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in Jenkins Libvirt Agents Plugin 1.9.0 and earlier allows attackers to stop hypervisor domains without authentication.
Overview
CVE-2021-21627 is a cross-site request forgery (CSRF) vulnerability in the Jenkins Libvirt Agents Plugin, affecting versions 1.9.0 and earlier. The plugin is used to manage virtual machine agents on hypervisors (Xen, KVM) for CI/CD pipelines. The flaw allows an attacker to craft a malicious request that, when executed by an authenticated Jenkins user, will stop hypervisor domains without the user's knowledge [1][2].
Exploitation
An attacker can exploit this by tricking a Jenkins user with appropriate permissions into visiting a malicious webpage or clicking a crafted link. Since the plugin does not require CSRF protection for the endpoint that stops libvirt domains, the attacker can perform unauthorized actions on the hypervisor [1][4]. No special network position is required beyond the ability to deliver the CSRF payload to the victim [2].
Impact
A successful attack results in stopping (i.e., forcibly halting) virtual machine domains managed by the Jenkins instance. This can disrupt CI/CD builds, cause service downtime, and potentially lead to data loss or corruption if VMs are abruptly terminated [1][4]. The impact is limited to stopping domains; the attacker does not gain code execution or persistent access to the hypervisor [3].
Mitigation
Users should upgrade the Libvirt Agents Plugin to version 1.9.1 or later, which includes CSRF protection for the vulnerable endpoint [2]. No workarounds are documented for older versions. As of March 2021, the vulnerability is publicly known, and administrators are advised to apply the update promptly [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:libvirt-slaveMaven | < 1.9.1 | 1.9.1 |
Affected products
3- Range: <=1.9.0
- Range: unspecified
Patches
1655eab9bde26Only allow POST verb on VM control submit
2 files changed · +5 −0
CHANGELOG.md+3 −0 modified@@ -7,6 +7,9 @@ Unreleased - Fix [JENKINS-64698](https://issues.jenkins.io/browse/JENKINS-64698A): Cannot create a libvirt agent (Thanks to Benoit Guerin for the contribution) +- Fix SECURITY-1764: + Missing CSRF protection allows to shutdown cloud nodes + (Thanks to Wadeck Follonier for the report) ### 1.9.0
src/main/java/hudson/plugins/libvirt/VirtualMachineManagementServer.java+2 −0 modified@@ -12,6 +12,7 @@ import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; import org.kohsuke.stapler.StaplerResponse; +import org.kohsuke.stapler.verb.POST; import javax.servlet.ServletException; @@ -60,6 +61,7 @@ public String getJsUrl(String jsName) { return Consts.PLUGIN_JS_URL + jsName; } + @POST public void doControlSubmit(@QueryParameter("stopId") String stopId, StaplerRequest req, StaplerResponse rsp) throws ServletException, IOException, InterruptedException, VirtException {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-mm5c-7mpr-99fmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21627ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/03/18/5ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/libvirt-slave-plugin/commit/655eab9bde26e8b8e11034f6c405af374564cae7ghsaWEB
- www.jenkins.io/security/advisory/2021-03-18/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2021-03-18Jenkins Security Advisories · Mar 18, 2021