CVE-2019-1003036: Missing permission check in Azure VM Agents Plugin allowed modifying VM configuration
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.06655%
CWE
Published
5/13/2022
Updated
12/14/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:azure-vm-agents | maven | <= 0.8.0 | 0.8.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the doAttachPublicIP
method in AzureVMAgent.java
. The commit 6cf1e11
added both @RequirePOST
annotation and Computer.CONFIGURE
permission check, indicating these security controls were previously missing. The advisory explicitly states this endpoint allowed unauthorized configuration changes via missing authorization checks (CWE-862). The function's pre-patch version (<=0.8.0) would execute the sensitive IP attachment operation without verifying user privileges.