Miggo Logo

CVE-2019-1003035: Information disclosure in Azure VM Agents Plugin

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.05765%
Published
5/13/2022
Updated
12/14/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:azure-vm-agentsmaven<= 0.8.00.8.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two form validation methods handling Azure configuration verification. Both methods were vulnerable because:

  1. They lacked @RequirePOST annotations, making them susceptible to CSRF attacks
  2. They didn't perform Jenkins.ADMINISTER permission checks, allowing users with only Overall/Read access to execute them
  3. The commit patching the vulnerability specifically adds these security measures to both methods
  4. The advisory explicitly mentions these methods as the attack vector for information disclosure
  5. The CWE-862 (Missing Authorization) directly maps to the missing permission checks in these functions

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n in*orm*tion *xposur* vuln*r**ility *xists in J*nkins *zur* VM ***nts Plu*in *.*.* *n* **rli*r in sr*/m*in/j*v*/*om/mi*roso*t/*zur*/vm***nt/*zur*VM***ntT*mpl*t*.j*v*, sr*/m*in/j*v*/*om/mi*roso*t/*zur*/vm***nt/*zur*VM*lou*.j*v* t**t *llows *tt**k*rs

Reasoning

T** vuln*r**ility st*ms *rom two *orm v*li**tion m*t*o*s **n*lin* *zur* *on*i*ur*tion v*ri*i**tion. *ot* m*t*o*s w*r* vuln*r**l* ****us*: *. T**y l**k** @R*quir*POST *nnot*tions, m*kin* t**m sus**pti*l* to *SR* *tt**ks *. T**y *i*n't p*r*orm J*nkins.