4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-1003035

GHSA ID

GHSA-3hg6-c7f8-3348

EPSS Score

0.05765%

CWE

CWE-862

Published

5/13/2022

Updated

12/14/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-1003035

CVE-2019-1003035: Information disclosure in Azure VM Agents Plugin

An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgentTemplate.java, src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to perform the 'verify configuration' form validation action, thereby obtaining limited information about the Azure configuration.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-1003035

GHSA ID

GHSA-3hg6-c7f8-3348

EPSS Score

0.05765%

CWE

CWE-862

Published

5/13/2022

Updated

12/14/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:azure-vm-agents	maven	<= 0.8.0	0.8.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two form validation methods handling Azure configuration verification. Both methods were vulnerable because:

They lacked @RequirePOST annotations, making them susceptible to CSRF attacks
They didn't perform Jenkins.ADMINISTER permission checks, allowing users with only Overall/Read access to execute them
The commit patching the vulnerability specifically adds these security measures to both methods
The advisory explicitly mentions these methods as the attack vector for information disclosure
The CWE-862 (Missing Authorization) directly maps to the missing permission checks in these functions

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n in*orm*tion *xposur* vuln*r**ility *xists in J*nkins *zur* VM ***nts Plu*in *.*.* *n* **rli*r in sr*/m*in/j*v*/*om/mi*roso*t/*zur*/vm***nt/*zur*VM***ntT*mpl*t*.j*v*, sr*/m*in/j*v*/*om/mi*roso*t/*zur*/vm***nt/*zur*VM*lou*.j*v* t**t *llows *tt**k*rs

Reasoning

T** vuln*r**ility st*ms *rom two *orm v*li**tion m*t*o*s **n*lin* *zur* *on*i*ur*tion v*ri*i**tion. *ot* m*t*o*s w*r* vuln*r**l* ****us*: *. T**y l**k** @R*quir*POST *nnot*tions, m*kin* t**m sus**pti*l* to *SR* *tt**ks *. T**y *i*n't p*r*orm J*nkins.

4.3

Basic Information

Concerned about an active attack path?

CVE-2019-1003035: Information disclosure in Azure VM Agents Plugin

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI