Miggo Logo

CVE-2019-1003036: Missing permission check in Azure VM Agents Plugin allowed modifying VM configuration

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.06655%
Published
5/13/2022
Updated
12/14/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:azure-vm-agentsmaven<= 0.8.00.8.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the doAttachPublicIP method in AzureVMAgent.java. The commit 6cf1e11 added both @RequirePOST annotation and Computer.CONFIGURE permission check, indicating these security controls were previously missing. The advisory explicitly states this endpoint allowed unauthorized configuration changes via missing authorization checks (CWE-862). The function's pre-patch version (<=0.8.0) would execute the sensitive IP attachment operation without verifying user privileges.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* **t* mo*i*i**tion vuln*r**ility *xists in J*nkins *zur* VM ***nts Plu*in *.*.* *n* **rli*r in sr*/m*in/j*v*/*om/mi*roso*t/*zur*/vm***nt/*zur*VM***nt.j*v* t**t *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *tt*** * pu*li* IP ***r*ss to *n *zur* V

Reasoning

T** vuln*r**ility st*ms *rom t** `*o*tt***Pu*li*IP` m*t*o* in `*zur*VM***nt.j*v*`. T** *ommit `*******` ***** *ot* `@R*quir*POST` *nnot*tion *n* `*omput*r.*ON*I*UR*` p*rmission ****k, in*i**tin* t**s* s**urity *ontrols w*r* pr*viously missin*. T** **