CVE-2019-1003035: Information disclosure in Azure VM Agents Plugin
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.05765%
CWE
Published
5/13/2022
Updated
12/14/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:azure-vm-agents | maven | <= 0.8.0 | 0.8.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two form validation methods handling Azure configuration verification. Both methods were vulnerable because:
- They lacked @RequirePOST annotations, making them susceptible to CSRF attacks
- They didn't perform Jenkins.ADMINISTER permission checks, allowing users with only Overall/Read access to execute them
- The commit patching the vulnerability specifically adds these security measures to both methods
- The advisory explicitly mentions these methods as the attack vector for information disclosure
- The CWE-862 (Missing Authorization) directly maps to the missing permission checks in these functions