Jenkins Libvirt Agents Plugin 1.9.0 and earlier does not require POST requests for a form submission endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to stop hypervisor domains.

Jenkins Libvirt Agents Plugin 1.9.1 requires POST requests for the affected HTTP endpoint.

Affected Packages

Maven org.jenkins-ci.plugins:libvirt-slave

Affected versions: 0 (fixed in 1.9.1)

Related CVEs

CVE-2021-21627

Key Information

GHSA ID

GHSA-mm5c-7mpr-99fm

Published

May 24, 2022 5:44 PM

Last Modified

October 27, 2023 1:42 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:libvirt-slave

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 27, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.