Allele Security Alert
ASA-2019-00612, CVE-2019-10472, SECURITY-1014 (1)
Missing permission checks
Jenkins Libvirt Slaves Plugin
Jenkins Libvirt Slaves Plugin versions up to and including 1.8.5
Proof of concept
Jenkins Libvirt Slaves Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Oleg Nenashev (CloudBees, Inc)
Jenkins Security Advisory 2019-10-23
Jenkins security advisory
oss-security – Multiple vulnerabilities in Jenkins plugins
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: December 5, 2019