4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-1003036

GHSA ID

GHSA-m33c-cjjj-2mg4

EPSS Score

0.06655%

CWE

CWE-862

Published

5/13/2022

Updated

12/14/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-1003036

CVE-2019-1003036:
Missing permission check in Azure VM Agents Plugin allowed modifying VM configuration

A data modification vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgent.java that allows attackers with Overall/Read permission to attach a public IP address to an Azure VM agent.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-1003036

GHSA ID

GHSA-m33c-cjjj-2mg4

EPSS Score

0.06655%

CWE

CWE-862

Published

5/13/2022

Updated

12/14/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:azure-vm-agents	maven	<= 0.8.0	0.8.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the doAttachPublicIP method in AzureVMAgent.java. The commit 6cf1e11 added both @RequirePOST annotation and Computer.CONFIGURE permission check, indicating these security controls were previously missing. The advisory explicitly states this endpoint allowed unauthorized configuration changes via missing authorization checks (CWE-862). The function's pre-patch version (<=0.8.0) would execute the sensitive IP attachment operation without verifying user privileges.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* **t* mo*i*i**tion vuln*r**ility *xists in J*nkins *zur* VM ***nts Plu*in *.*.* *n* **rli*r in sr*/m*in/j*v*/*om/mi*roso*t/*zur*/vm***nt/*zur*VM***nt.j*v* t**t *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *tt*** * pu*li* IP ***r*ss to *n *zur* V

Reasoning

T** vuln*r**ility st*ms *rom t** `*o*tt***Pu*li*IP` m*t*o* in `*zur*VM***nt.j*v*`. T** *ommit `*******` ***** *ot* `@R*quir*POST` *nnot*tion *n* `*omput*r.*ON*I*UR*` p*rmission ****k, in*i**tin* t**s* s**urity *ontrols w*r* pr*viously missin*. T** **

4.3

Basic Information

Concerned about an active attack path?

CVE-2019-1003036: Missing permission check in Azure VM Agents Plugin allowed modifying VM configuration

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2019-1003036:
Missing permission check in Azure VM Agents Plugin allowed modifying VM configuration

Vulnerability Intelligence
Miggo AI