Miggo Logo

CVE-2019-10471: Jenkins Libvirt Slaves Plugin vlnerable to Cross-Site Request Forgery

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.27186%
Published
5/24/2022
Updated
12/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:libvirt-slavemaven< 1.8.61.8.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing POST request enforcement in form validation endpoints. The GitHub patch adds 'checkMethod="post"' to Jelly UI components, which correlates to backend form handlers. Jenkins typically uses doCheck<FieldName>() methods for form validation. The affected Jelly files (Hypervisor/config.jelly and VirtualMachineSlave/configure-entries.jelly) control hypervisor and slave configuration, and their pre-patch lack of POST checks made associated validation methods vulnerable to CSRF. The commit explicitly targets CSRF (CVE-2019-10471), confirming these endpoints were the attack surface.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-sit* r*qu*st *or**ry vuln*r**ility in J*nkins Li*virt Sl*v*s Plu*in *llows *tt**k*rs to *onn**t to *n *tt**k*r-sp**i*i** SS* s*rv*r usin* *tt**k*r-sp**i*i** *r***nti*ls I*s o*t*in** t*rou** *not**r m*t*o*, **pturin* *r***nti*ls stor** in J*nk

Reasoning

T** vuln*r**ility st*ms *rom missin* POST r*qu*st *n*or**m*nt in *orm v*li**tion *n*points. T** *it*u* p*t** ***s '****kM*t*o*="post"' to J*lly UI *ompon*nts, w*i** *orr*l*t*s to ***k*n* *orm **n*l*rs. J*nkins typi**lly us*s `*o****k<*i*l*N*m*>()` m*